Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sales Order List.exe

Overview

General Information

Sample Name:Sales Order List.exe
Analysis ID:526595
MD5:80bad0903ee7ec98805678673720cfd9
SHA1:35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
SHA256:260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Sales Order List.exe (PID: 2260 cmdline: "C:\Users\user\Desktop\Sales Order List.exe" MD5: 80BAD0903EE7EC98805678673720CFD9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloads;R"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Sales Order List.exeReversingLabs: Detection: 40%
    Machine Learning detection for sampleShow sources
    Source: Sales Order List.exeJoe Sandbox ML: detected
    Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloads;R
    Source: Sales Order List.exeString found in binary or memory: http://topqualityfreeware.com
    Source: Sales Order List.exeString found in binary or memory: http://www.topqualityfreeware.com/

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Sales Order List.exe
    Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Sales Order List.exe, 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
    Source: Sales Order List.exeBinary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
    Source: Sales Order List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Sales Order List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02106B37
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBA3
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F4279
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FE295
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F42A5
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F12D4
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02104F00
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102B30
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBDF
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F3FD5
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F9FE8
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD01F
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103D63
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02104993
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD5FC
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBA3 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBDF NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess Stats: CPU usage > 98%
    Source: Sales Order List.exeReversingLabs: Detection: 40%
    Source: Sales Order List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Sales Order List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Sales Order List.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\Sales Order List.exeFile created: C:\Users\user\AppData\Local\Temp\~DF904D784913DB7A54.TMPJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404402 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00403827 push es; ret
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004044E6 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A880 pushfd ; ret
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A101 push edx; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404585 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040459A pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004051BF push dword ptr [esi]; iretd
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040665E pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040427A pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004062C2 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A6C2 push ebx; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004072E2 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040434A pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404336 pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040633E pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004067DF pushfd ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F3FD5 push ebp; retf 67B7h
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F5FF4 push esp; iretd
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F0012 push AE35C959h; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F6479 push esp; iretd
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F24F2 push 812B1A06h; ret
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F6573 push esp; iretd
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F7198 pushad ; retf
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Sales Order List.exeRDTSC instruction interceptor: First address: 00000000021038C0 second address: 00000000021038C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5F6A47EFh 0x00000007 xor eax, 22268717h 0x0000000c xor eax, 5FCDF500h 0x00000011 sub eax, 228135F7h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1730B5F5D7h 0x0000001e lfence 0x00000021 mov edx, 87FFB988h 0x00000026 xor edx, 8DA6BE96h 0x0000002c add edx, 16C465BAh 0x00000032 xor edx, 5EE36CCCh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test ah, ah 0x0000003f cmp dx, 744Ch 0x00000044 cmp ch, ah 0x00000046 test edx, edx 0x00000048 ret 0x00000049 sub edx, esi 0x0000004b ret 0x0000004c cmp ecx, ebx 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007F1730B5F4EAh 0x0000005f call 00007F1730B5F61Ch 0x00000064 call 00007F1730B5F5F8h 0x00000069 lfence 0x0000006c mov edx, 87FFB988h 0x00000071 xor edx, 8DA6BE96h 0x00000077 add edx, 16C465BAh 0x0000007d xor edx, 5EE36CCCh 0x00000083 mov edx, dword ptr [edx] 0x00000085 lfence 0x00000088 test ah, ah 0x0000008a cmp dx, 744Ch 0x0000008f cmp ch, ah 0x00000091 test edx, edx 0x00000093 ret 0x00000094 mov esi, edx 0x00000096 pushad 0x00000097 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103AA0 rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102200 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD2AD mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02104F00 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102DB4 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103AA0 rdtsc
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02106B37 RtlAddVectoredExceptionHandler,
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.