Windows Analysis Report RFQ_TZDQP2110257921.exe

Overview

General Information

Sample Name:	RFQ_TZDQP2110257921.exe
Analysis ID:	528676
MD5:	de5e1ca79f9bc16726e87f9e04529a33
SHA1:	c688c1b2ea205aa37f7fe4a511d18f1bdead62a1
SHA256:	9f1956145a9bdc606ad1463721f38ea1c31c6aeabfb028a0b134c0f3e881db47
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d_"}

Multi AV Scanner detection for submitted file

Source: RFQ_TZDQP2110257921.exe

ReversingLabs: Detection: 13%

Compliance:

Uses 32bit PE files

Source: RFQ_TZDQP2110257921.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=d_

System Summary:

Uses 32bit PE files

Source: RFQ_TZDQP2110257921.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B5DAC8 NtAllocateVirtualMemory,

0_2_02B5DAC8

Sample file is different than original file name gathered from version info

Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe
Source: RFQ_TZDQP2110257921.exe	Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040153A	0_2_0040153A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00401776	0_2_00401776
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00401729	0_2_00401729
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5DAC8	0_2_02B5DAC8
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B66BC4	0_2_02B66BC4
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B2CF	0_2_02B5B2CF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B236	0_2_02B5B236
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B3F9	0_2_02B5B3F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B0FE	0_2_02B5B0FE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6502F	0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A1AB	0_2_02B5A1AB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5E1FB	0_2_02B5E1FB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5F1D5	0_2_02B5F1D5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B6B2	0_2_02B5B6B2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A6CE	0_2_02B5A6CE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B608	0_2_02B5B608
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A4C9	0_2_02B5A4C9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A464	0_2_02B5A464
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A58F	0_2_02B5A58F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B537	0_2_02B5B537
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B64A9C	0_2_02B64A9C
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AAF9	0_2_02B5AAF9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AAD3	0_2_02B5AAD3
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AB45	0_2_02B5AB45
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B599FD	0_2_02B599FD
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AEF7	0_2_02B5AEF7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B63ECA	0_2_02B63ECA
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AE6A	0_2_02B5AE6A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AFC2	0_2_02B5AFC2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56CB7	0_2_02B56CB7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56CCC	0_2_02B56CCC
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56C30	0_2_02B56C30
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B62C28	0_2_02B62C28
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AD9F	0_2_02B5AD9F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AD46	0_2_02B5AD46

Source: RFQ_TZDQP2110257921.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

File created: C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP

Jump to behavior

Source: RFQ_TZDQP2110257921.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0041080B push CFB82872h; iretd	0_2_00410813
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040D0A1 push 223B155Fh; retf	0_2_0040D096
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040A954 push 00000079h; ret	0_2_0040A956
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407242 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00414248 push ss; iretd	0_2_00414303
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407257 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040AA76 push ecx; retf	0_2_0040AA82
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040721B push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00404A2C push ebx; iretd	0_2_00404A34
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040A2F8 push edx; ret	0_2_0040A2F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040F2FE push 0000002Eh; iretd	0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040E2B4 push ss; iretd	0_2_0040E366
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407357 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040F32E push 0000002Eh; iretd	0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004113CA push esi; ret	0_2_004113CB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004173D8 push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040739E push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004173AE push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040CC41 push 00000043h; retf	0_2_0040CC4D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FC62 push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040AC38 push FBEE8E6Ah; ret	0_2_0040AC42
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FC3E push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00417498 push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040CCB7 push ebx; retf	0_2_0040CCDF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FD27 pushfd ; iretd	0_2_0040FD2B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00416D28 push cs; iretd	0_2_00416D2F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FD3A push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00414662 push FFFFFFDBh; iretd	0_2_00414666
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040B6FB push edx; iretd	0_2_0040B808
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0041676A push edx; iretd	0_2_0041686B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040B7EA push edx; iretd	0_2_0040B808

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B63BCE rdtsc

0_2_02B63BCE

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6225D mov eax, dword ptr fs:[00000030h]	0_2_02B6225D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6502F mov eax, dword ptr fs:[00000030h]	0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5D1B5 mov eax, dword ptr fs:[00000030h]	0_2_02B5D1B5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B62F6B mov eax, dword ptr fs:[00000030h]	0_2_02B62F6B

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B63BCE rdtsc

0_2_02B63BCE

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B66BC4 RtlAddVectoredExceptionHandler,

0_2_02B66BC4

Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	528676
Product:	CloudBasic
Start time:	16:22:09
Start date:	25.11.2021
Sample:	RFQ_TZDQP2110257921.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	de5e1ca79f9bc16726e87f9e04529a33
SHA1:	c688c1b2ea205aa37f7fe4a511d18f1bdead62a1
SHA256:	9f1956145a9bdc606ad1463721f38ea1c31c6aeabfb028a0b134c0f3e881db47
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report RFQ_TZDQP2110257921.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map