Windows Analysis Report RFQ_TZDQP2110257921.exe

Overview

General Information

Sample Name: RFQ_TZDQP2110257921.exe
Analysis ID: 528676
MD5: de5e1ca79f9bc16726e87f9e04529a33
SHA1: c688c1b2ea205aa37f7fe4a511d18f1bdead62a1
SHA256: 9f1956145a9bdc606ad1463721f38ea1c31c6aeabfb028a0b134c0f3e881db47
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d_"}
Multi AV Scanner detection for submitted file
Source: RFQ_TZDQP2110257921.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: RFQ_TZDQP2110257921.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=d_

System Summary:

barindex
Uses 32bit PE files
Source: RFQ_TZDQP2110257921.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5DAC8 NtAllocateVirtualMemory, 0_2_02B5DAC8
Sample file is different than original file name gathered from version info
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe
Source: RFQ_TZDQP2110257921.exe Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040153A 0_2_0040153A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00401776 0_2_00401776
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00401729 0_2_00401729
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5DAC8 0_2_02B5DAC8
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B66BC4 0_2_02B66BC4
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B2CF 0_2_02B5B2CF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B236 0_2_02B5B236
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B3F9 0_2_02B5B3F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B0FE 0_2_02B5B0FE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B6502F 0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5A1AB 0_2_02B5A1AB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5E1FB 0_2_02B5E1FB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5F1D5 0_2_02B5F1D5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B6B2 0_2_02B5B6B2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5A6CE 0_2_02B5A6CE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B608 0_2_02B5B608
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5A4C9 0_2_02B5A4C9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5A464 0_2_02B5A464
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5A58F 0_2_02B5A58F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5B537 0_2_02B5B537
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B64A9C 0_2_02B64A9C
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AAF9 0_2_02B5AAF9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AAD3 0_2_02B5AAD3
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AB45 0_2_02B5AB45
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B599FD 0_2_02B599FD
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AEF7 0_2_02B5AEF7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B63ECA 0_2_02B63ECA
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AE6A 0_2_02B5AE6A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AFC2 0_2_02B5AFC2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B56CB7 0_2_02B56CB7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B56CCC 0_2_02B56CCC
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B56C30 0_2_02B56C30
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B62C28 0_2_02B62C28
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AD9F 0_2_02B5AD9F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5AD46 0_2_02B5AD46
Source: RFQ_TZDQP2110257921.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe File created: C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP Jump to behavior
Source: RFQ_TZDQP2110257921.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0041080B push CFB82872h; iretd 0_2_00410813
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040D0A1 push 223B155Fh; retf 0_2_0040D096
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040A954 push 00000079h; ret 0_2_0040A956
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00407242 push eax; retf 0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00414248 push ss; iretd 0_2_00414303
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00407257 push eax; retf 0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040AA76 push ecx; retf 0_2_0040AA82
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040721B push eax; retf 0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00404A2C push ebx; iretd 0_2_00404A34
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040A2F8 push edx; ret 0_2_0040A2F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040F2FE push 0000002Eh; iretd 0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040E2B4 push ss; iretd 0_2_0040E366
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00407357 push eax; retf 0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040F32E push 0000002Eh; iretd 0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_004113CA push esi; ret 0_2_004113CB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_004173D8 push ss; iretd 0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040739E push eax; retf 0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_004173AE push ss; iretd 0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040CC41 push 00000043h; retf 0_2_0040CC4D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040FC62 push ss; iretd 0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040AC38 push FBEE8E6Ah; ret 0_2_0040AC42
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040FC3E push ss; iretd 0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00417498 push ss; iretd 0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040CCB7 push ebx; retf 0_2_0040CCDF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040FD27 pushfd ; iretd 0_2_0040FD2B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00416D28 push cs; iretd 0_2_00416D2F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040FD3A push ss; iretd 0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_00414662 push FFFFFFDBh; iretd 0_2_00414666
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040B6FB push edx; iretd 0_2_0040B808
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0041676A push edx; iretd 0_2_0041686B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_0040B7EA push edx; iretd 0_2_0040B808
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B63BCE rdtsc 0_2_02B63BCE

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B6225D mov eax, dword ptr fs:[00000030h] 0_2_02B6225D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B6502F mov eax, dword ptr fs:[00000030h] 0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B5D1B5 mov eax, dword ptr fs:[00000030h] 0_2_02B5D1B5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B62F6B mov eax, dword ptr fs:[00000030h] 0_2_02B62F6B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B63BCE rdtsc 0_2_02B63BCE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe Code function: 0_2_02B66BC4 RtlAddVectoredExceptionHandler, 0_2_02B66BC4
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock