Loading ...

Play interactive tourEdit tour

Windows Analysis Report Statement from QNB.exe

Overview

General Information

Sample Name:Statement from QNB.exe
Analysis ID:527846
MD5:9c8b626668e14aeb4355ea39d1520e33
SHA1:554069b1fb3a80a02840158d31c6c2826812cb40
SHA256:d63ed0450efe28d525954d84556394f21df1c2d882e74b4891492fefab00dd79
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • Statement from QNB.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\Statement from QNB.exe" MD5: 9C8B626668E14AEB4355EA39D1520E33)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1y{\\"}
    Source: Statement from QNB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1y{\
    Source: Statement from QNB.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FDA66 NtAllocateVirtualMemory,0_2_021FDA66
    Source: Statement from QNB.exe, 00000000.00000000.341071584.0000000000421000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
    Source: Statement from QNB.exeBinary or memory string: OriginalFilenameEsothyropexy4.exe vs Statement from QNB.exe
    Source: C:\Users\user\Desktop\Statement from QNB.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004017710_2_00401771
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004017240_2_00401724
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004015350_2_00401535
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FDA660_2_021FDA66
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_0220697A0_2_0220697A
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021F3E050_2_021F3E05
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_02202A7B0_2_02202A7B
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_022030BF0_2_022030BF
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021F10DE0_2_021F10DE
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_02204D650_2_02204D65
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FA5610_2_021FA561
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FD3820_2_021FD382
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FE1B90_2_021FE1B9
    Source: C:\Users\user\Desktop\Statement from QNB.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9449C0319C5371E6.TMPJump to behavior
    Source: Statement from QNB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Statement from QNB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Statement from QNB.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal68.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.866154306.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_0040BE02 push cs; ret 0_2_0040BE0F
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_00401194 push esi; iretd 0_2_00401195
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_004063A0 push edi; iretd 0_2_004063A1
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021F3C8F pushfd ; retf 0_2_021F3C96
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021F21DE push 81EB8925h; ret 0_2_021F21E3
    Source: C:\Users\user\Desktop\Statement from QNB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Statement from QNB.exeRDTSC instruction interceptor: First address: 0000000002203784 second address: 0000000002203784 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FE5F6E88h 0x00000007 xor eax, 68D71742h 0x0000000c xor eax, 6F594955h 0x00000011 sub eax, F9D1309Eh 0x00000016 cpuid 0x00000018 test cl, cl 0x0000001a popad 0x0000001b call 00007F40CCEAB6A1h 0x00000020 lfence 0x00000023 mov edx, 7A5E759Dh 0x00000028 sub edx, 232409FCh 0x0000002e sub edx, F258D238h 0x00000034 xor edx, 1B1F997Dh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F40CCEAB761h 0x00000044 cmp edi, A03E8551h 0x0000004a cmp al, dl 0x0000004c cmp cl, 00000060h 0x0000004f cmp ebx, edx 0x00000051 ret 0x00000052 test ecx, AB9039E8h 0x00000058 sub edx, esi 0x0000005a ret 0x0000005b add edi, edx 0x0000005d dec dword ptr [ebp+000000F8h] 0x00000063 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000006a jne 00007F40CCEAB67Ch 0x0000006c call 00007F40CCEAB7B2h 0x00000071 call 00007F40CCEAB6C4h 0x00000076 lfence 0x00000079 mov edx, 7A5E759Dh 0x0000007e sub edx, 232409FCh 0x00000084 sub edx, F258D238h 0x0000008a xor edx, 1B1F997Dh 0x00000090 mov edx, dword ptr [edx] 0x00000092 lfence 0x00000095 jmp 00007F40CCEAB761h 0x0000009a cmp edi, A03E8551h 0x000000a0 cmp al, dl 0x000000a2 cmp cl, 00000060h 0x000000a5 cmp ebx, edx 0x000000a7 ret 0x000000a8 mov esi, edx 0x000000aa pushad 0x000000ab rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_0220377C rdtsc 0_2_0220377C

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Statement from QNB.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_021FD0BD mov eax, dword ptr fs:[00000030h]0_2_021FD0BD
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_02202CF6 mov eax, dword ptr fs:[00000030h]0_2_02202CF6
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_022020CD mov eax, dword ptr fs:[00000030h]0_2_022020CD
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_02204D65 mov eax, dword ptr fs:[00000030h]0_2_02204D65
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_0220377C rdtsc 0_2_0220377C
    Source: C:\Users\user\Desktop\Statement from QNB.exeCode function: 0_2_0220697A RtlAddVectoredExceptionHandler,0_2_0220697A
    Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: Statement from QNB.exe, 00000000.00000002.865744501.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.