Windows Analysis Report Statement from QNB.exe

Overview

General Information

Sample Name: Statement from QNB.exe
Analysis ID: 527846
MD5: 9c8b626668e14aeb4355ea39d1520e33
SHA1: 554069b1fb3a80a02840158d31c6c2826812cb40
SHA256: d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}

Compliance:

barindex
Uses 32bit PE files
Source: Statement from QNB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1y{\

System Summary:

barindex
Uses 32bit PE files
Source: Statement from QNB.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FDA66 NtAllocateVirtualMemory, 0_2_021FDA66
Sample file is different than original file name gathered from version info
Source: Statement from QNB.exe, 00000000.00000000.341071584.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Source: Statement from QNB.exe Binary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Statement from QNB.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401771 0_2_00401771
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401724 0_2_00401724
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401535 0_2_00401535
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FDA66 0_2_021FDA66
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0220697A 0_2_0220697A
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021F3E05 0_2_021F3E05
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02202A7B 0_2_02202A7B
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022030BF 0_2_022030BF
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021F10DE 0_2_021F10DE
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02204D65 0_2_02204D65
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FA561 0_2_021FA561
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FD382 0_2_021FD382
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FE1B9 0_2_021FE1B9
Source: C:\Users\user\Desktop\Statement from QNB.exe File created: C:\Users\user\AppData\Local\Temp\~DF9449C0319C5371E6.TMP Jump to behavior
Source: Statement from QNB.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Statement from QNB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Statement from QNB.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0040BE02 push cs; ret 0_2_0040BE0F
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_00401194 push esi; iretd 0_2_00401195
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_004063A0 push edi; iretd 0_2_004063A1
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021F3C8F pushfd ; retf 0_2_021F3C96
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021F21DE push 81EB8925h; ret 0_2_021F21E3
Source: C:\Users\user\Desktop\Statement from QNB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Statement from QNB.exe RDTSC instruction interceptor: First address: 0000000002203784 second address: 0000000002203784 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FE5F6E88h 0x00000007 xor eax, 68D71742h 0x0000000c xor eax, 6F594955h 0x00000011 sub eax, F9D1309Eh 0x00000016 cpuid 0x00000018 test cl, cl 0x0000001a popad 0x0000001b call 00007F40CCEAB6A1h 0x00000020 lfence 0x00000023 mov edx, 7A5E759Dh 0x00000028 sub edx, 232409FCh 0x0000002e sub edx, F258D238h 0x00000034 xor edx, 1B1F997Dh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F40CCEAB761h 0x00000044 cmp edi, A03E8551h 0x0000004a cmp al, dl 0x0000004c cmp cl, 00000060h 0x0000004f cmp ebx, edx 0x00000051 ret 0x00000052 test ecx, AB9039E8h 0x00000058 sub edx, esi 0x0000005a ret 0x0000005b add edi, edx 0x0000005d dec dword ptr [ebp+000000F8h] 0x00000063 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006a jne 00007F40CCEAB67Ch 0x0000006c call 00007F40CCEAB7B2h 0x00000071 call 00007F40CCEAB6C4h 0x00000076 lfence 0x00000079 mov edx, 7A5E759Dh 0x0000007e sub edx, 232409FCh 0x00000084 sub edx, F258D238h 0x0000008a xor edx, 1B1F997Dh 0x00000090 mov edx, dword ptr [edx] 0x00000092 lfence 0x00000095 jmp 00007F40CCEAB761h 0x0000009a cmp edi, A03E8551h 0x000000a0 cmp al, dl 0x000000a2 cmp cl, 00000060h 0x000000a5 cmp ebx, edx 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0220377C rdtsc 0_2_0220377C

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Statement from QNB.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_021FD0BD mov eax, dword ptr fs:[00000030h] 0_2_021FD0BD
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02202CF6 mov eax, dword ptr fs:[00000030h] 0_2_02202CF6
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_022020CD mov eax, dword ptr fs:[00000030h] 0_2_022020CD
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_02204D65 mov eax, dword ptr fs:[00000030h] 0_2_02204D65
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0220377C rdtsc 0_2_0220377C
Source: C:\Users\user\Desktop\Statement from QNB.exe Code function: 0_2_0220697A RtlAddVectoredExceptionHandler, 0_2_0220697A
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock