Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name: FACTURAS.exe
Analysis ID: 527918
MD5: ab63f9ba38d9eb4f8bd57ae56a844a31
SHA1: bf1c2a15553f893ff180a307dcb5805c6e440158
SHA256: 5d14499fc44a623454a0518972ba97be883b0394f16f08b4265e46ff12ebfeb3
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}
Multi AV Scanner detection for submitted file
Source: FACTURAS.exe ReversingLabs: Detection: 15%

Compliance:

barindex
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=

System Summary:

barindex
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DDD75 NtAllocateVirtualMemory, 0_2_020DDD75
Sample file is different than original file name gathered from version info
Source: FACTURAS.exe, 00000000.00000000.294184122.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
Source: FACTURAS.exe Binary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FACTURAS.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004036BD 0_2_004036BD
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00401538 0_2_00401538
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00401774 0_2_00401774
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00401727 0_2_00401727
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E6E65 0_2_020E6E65
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DDD75 0_2_020DDD75
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D924D 0_2_020D924D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D924F 0_2_020D924F
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D9331 0_2_020D9331
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E5138 0_2_020E5138
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D9691 0_2_020D9691
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DD7F6 0_2_020DD7F6
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D94E5 0_2_020D94E5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D95CD 0_2_020D95CD
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E45C5 0_2_020E45C5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E3A47 0_2_020E3A47
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DCFA2 0_2_020DCFA2
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E4CA7 0_2_020E4CA7
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E4DD5 0_2_020E4DD5
Source: FACTURAS.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\FACTURAS.exe File created: C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMP Jump to behavior
Source: FACTURAS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURAS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004013B4 push FFFFFFCDh; iretd 0_2_0040140C
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040204F push FFFFFFCDh; iretd 0_2_0040206F
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004111C3 push ebp; ret 0_2_00411288
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004051D5 push 0340104Fh; iretd 0_2_004051DB
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00403A4A push esi; retf 0_2_00403A4B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00402B0E push FFFFFFCDh; iretd 0_2_00402D9B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00404C1F push eax; ret 0_2_00404C39
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040BCD6 push 3CF881B8h; ret 0_2_0040BD03
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00413574 push 00000039h; iretd 0_2_00413578
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040A61E push D9EC50BBh; retf 0_2_0040A62B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040A739 push cs; iretd 0_2_0040A73A
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DE3B0 pushad ; retf 0_2_020DFF57
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D17FB push cs; ret 0_2_020D17FC
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D4AE0 push ebp; retf 0_2_020D4AE1
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D5860 push esp; retn 0004h 0_2_020D5992
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D0E32 pushfd ; iretd 0_2_020D0E3C
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D5F76 push eax; iretd 0_2_020D5F8B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D5FC1 push eax; iretd 0_2_020D5F8B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D4C41 push ebp; ret 0_2_020D4C42
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0041724F rdtsc 0_2_0041724F

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\FACTURAS.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E5138 mov eax, dword ptr fs:[00000030h] 0_2_020E5138
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E3589 mov eax, dword ptr fs:[00000030h] 0_2_020E3589
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020D8A51 mov eax, dword ptr fs:[00000030h] 0_2_020D8A51
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020DC9F2 mov eax, dword ptr fs:[00000030h] 0_2_020DC9F2
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E2C97 mov eax, dword ptr fs:[00000030h] 0_2_020E2C97
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0041724F rdtsc 0_2_0041724F
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_020E6E65 RtlAddVectoredExceptionHandler, 0_2_020E6E65
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmp Binary or memory string: Progmanlock