Windows Analysis Report Zr26f1rL6r.danger

Overview

General Information

Sample Name: Zr26f1rL6r.danger (renamed file extension from danger to exe)
Analysis ID: 528518
MD5: 812181df251e06433bf2f4f6a0c0f0f4
SHA1: aa38a567ee48483d98966622fd320c791bc45871
SHA256: 4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}
Multi AV Scanner detection for submitted file
Source: Zr26f1rL6r.exe Virustotal: Detection: 40% Perma Link
Source: Zr26f1rL6r.exe ReversingLabs: Detection: 20%

Compliance:

barindex
Uses 32bit PE files
Source: Zr26f1rL6r.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://atseasonals.com/GHrtt/bin_k
Source: Zr26f1rL6r.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Zr26f1rL6r.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Zr26f1rL6r.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Zr26f1rL6r.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Zr26f1rL6r.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Zr26f1rL6r.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Zr26f1rL6r.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Zr26f1rL6r.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Zr26f1rL6r.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Zr26f1rL6r.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Zr26f1rL6r.exe, 00000001.00000002.804004031.000000000071A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Zr26f1rL6r.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Zr26f1rL6r.exe, 00000001.00000000.279454201.0000000000422000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Source: Zr26f1rL6r.exe Binary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_00401772 1_2_00401772
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_00401725 1_2_00401725
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_00401536 1_2_00401536
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6523E 1_2_02A6523E
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A65814 1_2_02A65814
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6FFED 1_2_02A6FFED
PE / OLE file has an invalid certificate
Source: Zr26f1rL6r.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Process Stats: CPU usage > 98%
Source: Zr26f1rL6r.exe Virustotal: Detection: 40%
Source: Zr26f1rL6r.exe ReversingLabs: Detection: 20%
Source: Zr26f1rL6r.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe File created: C:\Users\user\AppData\Local\Temp\~DFD789DA64D34966AA.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_004093B3 push ebx; ret 1_2_004093B4
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A62286 push esi; retf 1_2_02A62228
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A638B3 push 4674B5B4h; retf 1_2_02A63876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6388E push 4674B5B4h; retf 1_2_02A63876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A660C4 pushfd ; iretd 1_2_02A660C7
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A638CA push 4674B5B4h; retf 1_2_02A63876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A658DF pushfd ; retf 1_2_02A658DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A63800 push 4674B5B4h; retf 1_2_02A63876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A65814 pushfd ; retf 1_2_02A658DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A65814 push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A60047 push ds; ret 1_2_02A60051
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A60047 push ds; ret 1_2_02A600B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A63841 push 4674B5B4h; retf 1_2_02A63876
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A659A2 push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A659AE push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6598A push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A65996 push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6590E pushfd ; retf 1_2_02A658DE
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6010F push ds; ret 1_2_02A600B3
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A61918 push esi; ret 1_2_02A6192F
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A65919 push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6597F push ebx; retf 1_2_02A65A54
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A62954 pushad ; ret 1_2_02A62955
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A64DAC push ecx; ret 1_2_02A64DAD
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe RDTSC instruction interceptor: First address: 0000000002A70462 second address: 0000000002A70462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6DE2EF76h 0x00000007 xor eax, 3DB09C71h 0x0000000c sub eax, 5442A7C9h 0x00000011 xor eax, FC0FCB3Fh 0x00000016 cpuid 0x00000018 jmp 00007FA49CC56E26h 0x0000001a cmp cx, bx 0x0000001d popad 0x0000001e cmp esi, 4B3AFD05h 0x00000024 call 00007FA49CC56DECh 0x00000029 lfence 0x0000002c mov edx, 710EE3C3h 0x00000031 xor edx, C84DA636h 0x00000037 xor edx, 5FA736A0h 0x0000003d xor edx, 991A7341h 0x00000043 mov edx, dword ptr [edx] 0x00000045 lfence 0x00000048 jmp 00007FA49CC56E1Ah 0x0000004a cmp ecx, C21290E3h 0x00000050 cmp cx, B483h 0x00000055 ret 0x00000056 sub edx, esi 0x00000058 ret 0x00000059 cmp cl, dl 0x0000005b jmp 00007FA49CC56E26h 0x0000005d cmp cx, bx 0x00000060 cmp esi, 7ED3C2E3h 0x00000066 add edi, edx 0x00000068 dec dword ptr [ebp+000000F8h] 0x0000006e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000075 jne 00007FA49CC56D73h 0x00000077 cmp edx, ecx 0x00000079 cmp ebx, 1CFC15CDh 0x0000007f call 00007FA49CC56E8Bh 0x00000084 call 00007FA49CC56E5Ch 0x00000089 lfence 0x0000008c mov edx, 710EE3C3h 0x00000091 xor edx, C84DA636h 0x00000097 xor edx, 5FA736A0h 0x0000009d xor edx, 991A7341h 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 jmp 00007FA49CC56E1Ah 0x000000aa cmp ecx, C21290E3h 0x000000b0 cmp cx, B483h 0x000000b5 ret 0x000000b6 mov esi, edx 0x000000b8 pushad 0x000000b9 rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A7045A rdtsc 1_2_02A7045A

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6F3CA mov eax, dword ptr fs:[00000030h] 1_2_02A6F3CA
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A6FCC1 mov eax, dword ptr fs:[00000030h] 1_2_02A6FCC1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Zr26f1rL6r.exe Code function: 1_2_02A7045A rdtsc 1_2_02A7045A
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528518 Sample: Zr26f1rL6r.danger Startdate: 25/11/2021 Architecture: WINDOWS Score: 76 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 Zr26f1rL6r.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://atseasonals.com/GHrtt/bin_k true
  • Avira URL Cloud: safe
 unknown