Windows Analysis Report REVGKXx6Ns.exe

Overview

General Information

Sample Name: REVGKXx6Ns.exe
Analysis ID: 527899
MD5: 7c91db57c98a1f0e38ba65ed651b4779
SHA1: 28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256: 12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1188260352.0000000002180000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"}
Multi AV Scanner detection for submitted file
Source: REVGKXx6Ns.exe Virustotal: Detection: 62% Perma Link
Source: REVGKXx6Ns.exe Metadefender: Detection: 34% Perma Link
Source: REVGKXx6Ns.exe ReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: REVGKXx6Ns.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: REVGKXx6Ns.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downlo_
Source: REVGKXx6Ns.exe String found in binary or memory: http://topqualityfreeware.com
Source: REVGKXx6Ns.exe String found in binary or memory: http://www.topqualityfreeware.com/

System Summary:

barindex
Uses 32bit PE files
Source: REVGKXx6Ns.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: REVGKXx6Ns.exe, 00000000.00000002.1187905826.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObumbration1.exe vs REVGKXx6Ns.exe
Source: REVGKXx6Ns.exe Binary or memory string: OriginalFilenameObumbration1.exe vs REVGKXx6Ns.exe
PE file contains strange resources
Source: REVGKXx6Ns.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: REVGKXx6Ns.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004090A6 0_2_004090A6
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02196B59 0_2_02196B59
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218E22D 0_2_0218E22D
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189E78 0_2_02189E78
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_021892A8 0_2_021892A8
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189AAB 0_2_02189AAB
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218AED8 0_2_0218AED8
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218AADB 0_2_0218AADB
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02194AF5 0_2_02194AF5
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189314 0_2_02189314
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02180B33 0_2_02180B33
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A320 0_2_0218A320
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A75D 0_2_0218A75D
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A364 0_2_0218A364
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189FAC 0_2_02189FAC
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189BD3 0_2_02189BD3
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189836 0_2_02189836
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218AC2E 0_2_0218AC2E
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189858 0_2_02189858
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218B044 0_2_0218B044
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A878 0_2_0218A878
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218D4B3 0_2_0218D4B3
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A4CC 0_2_0218A4CC
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A0EF 0_2_0218A0EF
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02192D07 0_2_02192D07
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189950 0_2_02189950
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02189D50 0_2_02189D50
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218AD6F 0_2_0218AD6F
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218B186 0_2_0218B186
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218A9B7 0_2_0218A9B7
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Process Stats: CPU usage > 98%
Source: REVGKXx6Ns.exe Virustotal: Detection: 62%
Source: REVGKXx6Ns.exe Metadefender: Detection: 34%
Source: REVGKXx6Ns.exe ReversingLabs: Detection: 71%
Source: REVGKXx6Ns.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe File created: C:\Users\user\AppData\Local\Temp\~DF6497174BCC55AD21.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1188260352.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404401 pushfd ; retf 0_2_0040441E
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00403826 push es; ret 0_2_00403828
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004044E5 pushfd ; retf 0_2_004044E6
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404584 pushfd ; retf 0_2_00404596
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404599 pushfd ; retf 0_2_004045AA
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004051BE push dword ptr [esi]; iretd 0_2_004051C5
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0040665D pushfd ; retf 0_2_0040665E
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404279 pushfd ; retf 0_2_0040427A
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004062C1 pushfd ; retf 0_2_004062C2
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004072E1 pushfd ; retf 0_2_0040730E
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004096FC push eax; iretd 0_2_004096FF
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404349 pushfd ; retf 0_2_0040434A
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_00404335 pushfd ; retf 0_2_00404346
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0040633D pushfd ; retf 0_2_0040634A
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_004067DE pushfd ; retf 0_2_004067E6
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0040A784 push 18165C0Eh; iretd 0_2_0040A789
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218423B push 81528D88h; ret 0_2_02184240
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02182644 push ss; retf 0_2_02182645
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02186E73 push E8000002h; retf 0_2_02186E78
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02185ECB push edi; ret 0_2_02185EC2
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02180EF4 push eax; retf 0_2_02180F07
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02185C22 push edi; ret 0_2_02185EC2
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02181447 push ds; ret 0_2_02181449
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_021848A7 pushfd ; ret 0_2_02184A0D
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218191A push ebx; retf 0_2_02181920
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218491D pushfd ; ret 0_2_02184A0D
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02184924 pushfd ; ret 0_2_02184A0D
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02185DDC push edi; ret 0_2_02185EC2
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02185DC1 push edi; ret 0_2_02185EC2
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218CAA8 rdtsc 0_2_0218CAA8

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218C664 mov eax, dword ptr fs:[00000030h] 0_2_0218C664
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_021932C9 mov eax, dword ptr fs:[00000030h] 0_2_021932C9
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02188730 mov eax, dword ptr fs:[00000030h] 0_2_02188730
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0219286B mov eax, dword ptr fs:[00000030h] 0_2_0219286B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_0218CAA8 rdtsc 0_2_0218CAA8
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe Code function: 0_2_02196B59 RtlAddVectoredExceptionHandler, 0_2_02196B59
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
No contacted IP infos