Windows Analysis Report 2GirCpksIO

Overview

General Information

Sample Name: 2GirCpksIO (renamed file extension from none to exe)
Analysis ID: 526365
MD5: 5cc619f7dd365ec061f1f385d25bea30
SHA1: 5b28cb97973da18953fb284648f13257f0aba2f3
SHA256: 7f5124088c09a925ad3a162b4e56391557dfc7d9950b9a55044036698d369d13
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.781020135.0000000002930000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://afrocompass.com/karinedocesesalgados_Hpi"}
Multi AV Scanner detection for submitted file
Source: 2GirCpksIO.exe Virustotal: Detection: 32% Perma Link
Source: 2GirCpksIO.exe ReversingLabs: Detection: 20%
Machine Learning detection for sample
Source: 2GirCpksIO.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 2GirCpksIO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://afrocompass.com/karinedocesesalgados_Hpi

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: 2GirCpksIO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: 2GirCpksIO.exe, 00000000.00000002.779736362.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSORNER.exe vs 2GirCpksIO.exe
Source: 2GirCpksIO.exe Binary or memory string: OriginalFilenameSORNER.exe vs 2GirCpksIO.exe
PE file contains strange resources
Source: 2GirCpksIO.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293BE72 0_2_0293BE72
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_029418A6 0_2_029418A6
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293B688 0_2_0293B688
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_029402D0 0_2_029402D0
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293BA6E 0_2_0293BA6E
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293C399 0_2_0293C399
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_029303EC 0_2_029303EC
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293EC0A 0_2_0293EC0A
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293E876 0_2_0293E876
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293BE72 NtAllocateVirtualMemory, 0_2_0293BE72
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process Stats: CPU usage > 98%
Source: 2GirCpksIO.exe Virustotal: Detection: 32%
Source: 2GirCpksIO.exe ReversingLabs: Detection: 20%
Source: 2GirCpksIO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2GirCpksIO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.781020135.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_00407447 push esi; ret 0_2_00407448
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_004084D6 push ebp; retf 0_2_0040856D
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0040688C pushfd ; iretd 0_2_0040688D
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0040856E push ebp; retf 0_2_0040856D
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_00404572 push ecx; ret 0_2_0040459E
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_004091FD push ss; retf 0_2_00409213
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0040798C pushfd ; ret 0_2_004079A0
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_004085A1 push ebp; retf 0_2_0040856D
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_004059BD pushad ; retf 0008h 0_2_004059BE
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_00405EA9 push edi; retf 0_2_00405EAA
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0040937F push FFFFFFDFh; ret 0_2_00409385
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_00408325 push dword ptr [edi]; ret 0_2_00408328
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_00407B9F push esi; ret 0_2_00407BCB
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02041EF5 push edx; ret 0_2_02041F21
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02044205 push edx; ret 0_2_02044231
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02042A05 push edx; ret 0_2_02042A31
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02041205 push edx; ret 0_2_02041231
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02045A03 push edx; ret 0_2_02045A31
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02046214 push edx; ret 0_2_02046241
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02044A13 push edx; ret 0_2_02044A41
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02043213 push edx; ret 0_2_02043241
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02041A13 push edx; ret 0_2_02041A41
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02040218 push edx; ret 0_2_02040241
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02043A24 push edx; ret 0_2_02043A51
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02042224 push edx; ret 0_2_02042251
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02040A24 push edx; ret 0_2_02040A51
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02046A24 push edx; ret 0_2_02046A51
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02045225 push edx; ret 0_2_02045251
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02044233 push edx; ret 0_2_02044261
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02042A33 push edx; ret 0_2_02042A61
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_02041233 push edx; ret 0_2_02041261
Source: initial sample Static PE information: section name: .text entropy: 6.86127779315
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\2GirCpksIO.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_029402D0 mov eax, dword ptr fs:[00000030h] 0_2_029402D0
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293EE31 mov eax, dword ptr fs:[00000030h] 0_2_0293EE31
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293B87D mov eax, dword ptr fs:[00000030h] 0_2_0293B87D
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_0293E553 mov eax, dword ptr fs:[00000030h] 0_2_0293E553
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\2GirCpksIO.exe Code function: 0_2_029418A6 RtlAddVectoredExceptionHandler, 0_2_029418A6
Source: 2GirCpksIO.exe, 00000000.00000002.780409814.0000000000C20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 2GirCpksIO.exe, 00000000.00000002.780409814.0000000000C20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 2GirCpksIO.exe, 00000000.00000002.780409814.0000000000C20000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: 2GirCpksIO.exe, 00000000.00000002.780409814.0000000000C20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: 2GirCpksIO.exe, 00000000.00000002.780409814.0000000000C20000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526365 Sample: 2GirCpksIO Startdate: 22/11/2021 Architecture: WINDOWS Score: 84 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 3 other signatures 2->14 5 2GirCpksIO.exe 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://afrocompass.com/karinedocesesalgados_Hpi true
  • Avira URL Cloud: safe
 unknown