Windows Analysis Report n#U00ba410000512664.exe

Overview

General Information

Sample Name:	n#U00ba410000512664.exe
Analysis ID:	526313
MD5:	7c91db57c98a1f0e38ba65ed651b4779
SHA1:	28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256:	12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"}

Machine Learning detection for sample

Source: n#U00ba410000512664.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: n#U00ba410000512664.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo_

Source: n#U00ba410000512664.exe	String found in binary or memory: http://topqualityfreeware.com
Source: n#U00ba410000512664.exe	String found in binary or memory: http://www.topqualityfreeware.com/

System Summary:

Uses 32bit PE files

Source: n#U00ba410000512664.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: n#U00ba410000512664.exe, 00000000.00000000.252485383.0000000000426000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe
Source: n#U00ba410000512664.exe	Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe

PE file contains strange resources

Source: n#U00ba410000512664.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: n#U00ba410000512664.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004090A6	0_2_004090A6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02206B59	0_2_02206B59
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FE22D	0_2_021FE22D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9E78	0_2_021F9E78
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9AAB	0_2_021F9AAB
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F92A8	0_2_021F92A8
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAADB	0_2_021FAADB
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAED8	0_2_021FAED8
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02204AF5	0_2_02204AF5
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9314	0_2_021F9314
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F0B33	0_2_021F0B33
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA320	0_2_021FA320
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA75D	0_2_021FA75D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA364	0_2_021FA364
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9FAC	0_2_021F9FAC
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9BD3	0_2_021F9BD3
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9836	0_2_021F9836
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAC2E	0_2_021FAC2E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9858	0_2_021F9858
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FB044	0_2_021FB044
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA878	0_2_021FA878
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FD4B3	0_2_021FD4B3
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA4CC	0_2_021FA4CC
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA0EF	0_2_021FA0EF
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02202D07	0_2_02202D07
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9950	0_2_021F9950
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9D50	0_2_021F9D50
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAD6F	0_2_021FAD6F
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FB186	0_2_021FB186
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA9B7	0_2_021FA9B7

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE27628A3FBE5D858.TMP

Jump to behavior

Source: n#U00ba410000512664.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404401 pushfd ; retf	0_2_0040441E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00403826 push es; ret	0_2_00403828
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004044E5 pushfd ; retf	0_2_004044E6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404584 pushfd ; retf	0_2_00404596
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404599 pushfd ; retf	0_2_004045AA
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004051BE push dword ptr [esi]; iretd	0_2_004051C5
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040665D pushfd ; retf	0_2_0040665E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404279 pushfd ; retf	0_2_0040427A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004062C1 pushfd ; retf	0_2_004062C2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004072E1 pushfd ; retf	0_2_0040730E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004096FC push eax; iretd	0_2_004096FF
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404349 pushfd ; retf	0_2_0040434A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404335 pushfd ; retf	0_2_00404346
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040633D pushfd ; retf	0_2_0040634A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004067DE pushfd ; retf	0_2_004067E6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040A784 push 18165C0Eh; iretd	0_2_0040A789
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F423B push 81528D88h; ret	0_2_021F4240
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F2644 push ss; retf	0_2_021F2645
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F6E73 push E8000002h; retf	0_2_021F6E78
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5ECB push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F0EF4 push eax; retf	0_2_021F0F07
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5C22 push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F1447 push ds; ret	0_2_021F1449
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F48A7 pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F491D pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F191A push ebx; retf	0_2_021F1920
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F4924 pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5DDC push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5DC1 push edi; ret	0_2_021F5EC2

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_021FCAA8 rdtsc

0_2_021FCAA8

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FC664 mov eax, dword ptr fs:[00000030h]	0_2_021FC664
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_022032C9 mov eax, dword ptr fs:[00000030h]	0_2_022032C9
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F8730 mov eax, dword ptr fs:[00000030h]	0_2_021F8730
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0220286B mov eax, dword ptr fs:[00000030h]	0_2_0220286B

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_021FCAA8 rdtsc

0_2_021FCAA8

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_02206B59 RtlAddVectoredExceptionHandler,

0_2_02206B59

Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	526313
Product:	CloudBasic
Start time:	14:04:11
Start date:	22.11.2021
Sample:	n#U00ba410000512664.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7c91db57c98a1f0e38ba65ed651b4779
SHA1:	28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256:	12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report n#U00ba410000512664.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map