Windows Analysis Report justificante de la transfer.exe

Overview

General Information

Sample Name: justificante de la transfer.exe
Analysis ID: 526293
MD5: e565201ac69a8a2fa7ee22e0809f7b3c
SHA1: fed196aeff9aca57c198b0b99a9c9bc6e01d31b9
SHA256: b6fad861abae70b69d7f0ef4e51756b181149e165ada09aee47e3d2bd5f9a0c6
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?exporto"}

Compliance:

barindex
Uses 32bit PE files
Source: justificante de la transfer.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?exporto

System Summary:

barindex
Uses 32bit PE files
Source: justificante de la transfer.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: justificante de la transfer.exe, 00000000.00000000.345440290.0000000000445000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
Source: justificante de la transfer.exe Binary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
PE file contains strange resources
Source: justificante de la transfer.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: justificante de la transfer.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228BB0F 0_2_0228BB0F
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228776F 0_2_0228776F
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285A00 0_2_02285A00
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02287814 0_2_02287814
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02280463 0_2_02280463
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285E50 0_2_02285E50
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02286051 0_2_02286051
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285854 0_2_02285854
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228628D 0_2_0228628D
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285CEC 0_2_02285CEC
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022870C5 0_2_022870C5
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022870C7 0_2_022870C7
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285AD9 0_2_02285AD9
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022856D3 0_2_022856D3
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285F26 0_2_02285F26
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228AB72 0_2_0228AB72
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02286149 0_2_02286149
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022863AA 0_2_022863AA
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285989 0_2_02285989
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228059C 0_2_0228059C
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228579C 0_2_0228579C
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228779F 0_2_0228779F
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02285BE5 0_2_02285BE5
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228A9F1 0_2_0228A9F1
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02289BC7 0_2_02289BC7
Contains functionality to call native functions
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228776F NtAllocateVirtualMemory, 0_2_0228776F
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02287814 NtAllocateVirtualMemory, 0_2_02287814
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022878F8 NtAllocateVirtualMemory, 0_2_022878F8
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228779F NtAllocateVirtualMemory, 0_2_0228779F
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\justificante de la transfer.exe Process Stats: CPU usage > 98%
Source: justificante de la transfer.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\justificante de la transfer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\justificante de la transfer.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\justificante de la transfer.exe File created: C:\Users\user\AppData\Local\Temp\~DFEB935E0BE46A145A.TMP Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_00406467 push esi; iretd 0_2_00406468
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_00404E11 push eax; ret 0_2_00404E19
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_00403CFC push cs; retf 0_2_00403D26
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_004045D2 push cs; iretd 0_2_004045ED
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_00404B97 push eax; retf 0_2_00404B99
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_00404DB7 push cs; retf 0_2_00404DBB
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02287E7E push esi; retf 0_2_02287E86
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022806B9 push eax; iretd 0_2_022806D8
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02282CEB push es; ret 0_2_02282CF0
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022820E0 push edi; ret 0_2_02282106
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02280FDB push 83025563h; ret 0_2_02280FF1
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_022835DB push eax; ret 0_2_022835DC
Source: C:\Users\user\Desktop\justificante de la transfer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\justificante de la transfer.exe Window / User API: threadDelayed 6236 Jump to behavior
Source: C:\Users\user\Desktop\justificante de la transfer.exe Window / User API: threadDelayed 3764 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228707C rdtsc 0_2_0228707C

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\justificante de la transfer.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02286EA3 mov eax, dword ptr fs:[00000030h] 0_2_02286EA3
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_02289E9A mov eax, dword ptr fs:[00000030h] 0_2_02289E9A
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228AB72 mov eax, dword ptr fs:[00000030h] 0_2_0228AB72
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228994C mov eax, dword ptr fs:[00000030h] 0_2_0228994C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228707C rdtsc 0_2_0228707C
Source: C:\Users\user\Desktop\justificante de la transfer.exe Code function: 0_2_0228BB0F RtlAddVectoredExceptionHandler, 0_2_0228BB0F
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526293 Sample: justificante de la transfer.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 64 7 Found malware configuration 2->7 9 Yara detected GuLoader 2->9 11 C2 URLs / IPs found in malware configuration 2->11 13 Found potential dummy code loops (likely to delay analysis) 2->13 5 justificante de la transfer.exe 1 2->5         started        process3
No contacted IP infos