Windows Analysis Report Sales Order List.exe

Overview

General Information

Sample Name: Sales Order List.exe
Analysis ID: 526595
MD5: 80bad0903ee7ec98805678673720cfd9
SHA1: 35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
SHA256: 260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"}
Multi AV Scanner detection for submitted file
Source: Sales Order List.exe ReversingLabs: Detection: 40%
Machine Learning detection for sample
Source: Sales Order List.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Sales Order List.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downloads;R
Source: Sales Order List.exe String found in binary or memory: http://topqualityfreeware.com
Source: Sales Order List.exe String found in binary or memory: http://www.topqualityfreeware.com/

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Sales Order List.exe
Uses 32bit PE files
Source: Sales Order List.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Sales Order List.exe, 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
Source: Sales Order List.exe Binary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
PE file contains strange resources
Source: Sales Order List.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Sales Order List.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02106B37 1_2_02106B37
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FDBA3 1_2_020FDBA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F4279 1_2_020F4279
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FE295 1_2_020FE295
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F42A5 1_2_020F42A5
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F12D4 1_2_020F12D4
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02104F00 1_2_02104F00
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02102B30 1_2_02102B30
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FDBDF 1_2_020FDBDF
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F3FD5 1_2_020F3FD5
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F9FE8 1_2_020F9FE8
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FD01F 1_2_020FD01F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02103D63 1_2_02103D63
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02104993 1_2_02104993
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FD5FC 1_2_020FD5FC
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FDBA3 NtAllocateVirtualMemory, 1_2_020FDBA3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FDBDF NtAllocateVirtualMemory, 1_2_020FDBDF
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Sales Order List.exe Process Stats: CPU usage > 98%
Source: Sales Order List.exe ReversingLabs: Detection: 40%
Source: Sales Order List.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sales Order List.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Sales Order List.exe File created: C:\Users\user\AppData\Local\Temp\~DF904D784913DB7A54.TMP Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_00404402 pushfd ; retf 1_2_0040441F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_00403827 push es; ret 1_2_00403829
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_004044E6 pushfd ; retf 1_2_004044E7
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040A880 pushfd ; ret 1_2_0040A894
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040A101 push edx; retf 1_2_0040A10A
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_00404585 pushfd ; retf 1_2_00404597
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040459A pushfd ; retf 1_2_004045AB
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_004051BF push dword ptr [esi]; iretd 1_2_004051C6
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040665E pushfd ; retf 1_2_0040665F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040427A pushfd ; retf 1_2_0040427B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_004062C2 pushfd ; retf 1_2_004062C3
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040A6C2 push ebx; retf 1_2_0040A6CA
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_004072E2 pushfd ; retf 1_2_0040730F
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040434A pushfd ; retf 1_2_0040434B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_00404336 pushfd ; retf 1_2_00404347
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_0040633E pushfd ; retf 1_2_0040634B
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_004067DF pushfd ; retf 1_2_004067E7
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F3FD5 push ebp; retf 67B7h 1_2_020F5122
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F5FF4 push esp; iretd 1_2_020F5FF5
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F0012 push AE35C959h; retf 1_2_020F001E
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F6479 push esp; iretd 1_2_020F66CA
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F24F2 push 812B1A06h; ret 1_2_020F24FD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F6573 push esp; iretd 1_2_020F66CA
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020F7198 pushad ; retf 1_2_020F7199
Source: C:\Users\user\Desktop\Sales Order List.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Sales Order List.exe RDTSC instruction interceptor: First address: 00000000021038C0 second address: 00000000021038C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5F6A47EFh 0x00000007 xor eax, 22268717h 0x0000000c xor eax, 5FCDF500h 0x00000011 sub eax, 228135F7h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1730B5F5D7h 0x0000001e lfence 0x00000021 mov edx, 87FFB988h 0x00000026 xor edx, 8DA6BE96h 0x0000002c add edx, 16C465BAh 0x00000032 xor edx, 5EE36CCCh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test ah, ah 0x0000003f cmp dx, 744Ch 0x00000044 cmp ch, ah 0x00000046 test edx, edx 0x00000048 ret 0x00000049 sub edx, esi 0x0000004b ret 0x0000004c cmp ecx, ebx 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007F1730B5F4EAh 0x0000005f call 00007F1730B5F61Ch 0x00000064 call 00007F1730B5F5F8h 0x00000069 lfence 0x0000006c mov edx, 87FFB988h 0x00000071 xor edx, 8DA6BE96h 0x00000077 add edx, 16C465BAh 0x0000007d xor edx, 5EE36CCCh 0x00000083 mov edx, dword ptr [edx] 0x00000085 lfence 0x00000088 test ah, ah 0x0000008a cmp dx, 744Ch 0x0000008f cmp ch, ah 0x00000091 test edx, edx 0x00000093 ret 0x00000094 mov esi, edx 0x00000096 pushad 0x00000097 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02103AA0 rdtsc 1_2_02103AA0

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Sales Order List.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02102200 mov eax, dword ptr fs:[00000030h] 1_2_02102200
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_020FD2AD mov eax, dword ptr fs:[00000030h] 1_2_020FD2AD
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02104F00 mov eax, dword ptr fs:[00000030h] 1_2_02104F00
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02102DB4 mov eax, dword ptr fs:[00000030h] 1_2_02102DB4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02103AA0 rdtsc 1_2_02103AA0
Source: C:\Users\user\Desktop\Sales Order List.exe Code function: 1_2_02106B37 RtlAddVectoredExceptionHandler, 1_2_02106B37
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos