Windows Analysis Report BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

ID:	528679
Product:	CloudBasic
Start time:	16:28:11
Start date:	25.11.2021
Sample:	BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d879bb7572225ebf68f74406710f6ea0
SHA1:	c34286e6e9d1502a8e3aff050c35781aee371bbc
SHA256:	b29f69052169c50b19f3f6cc8d724a228a7b378bb8e0a23c6f5b25d01c5b4e3c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\~DF23DE6D885E469C5F.TMP	Composite Document File V2 Document, Cannot read section info	19809EDD1FF00A1D7C105BC58A97CD02	26FB6D339CF2A7474DE6F785166163FA9B2ADBB1	4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C

AV Detection:

Found malware configuration

Source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1U"}

Multi AV Scanner detection for submitted file

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Virustotal: Detection: 53%			Perma Link
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	ReversingLabs: Detection: 48%

Compliance:

Uses 32bit PE files

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1U

System Summary:

Uses 32bit PE files

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000000.659576091.0000000000420000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Binary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00401538		0_2_00401538
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00401774		0_2_00401774
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00401727		0_2_00401727
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0216D885		0_2_0216D885
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02176965		0_2_02176965
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0216CADD		0_2_0216CADD
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02174BFA		0_2_02174BFA
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02171413		0_2_02171413
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02174166		0_2_02174166
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0217659C		0_2_0217659C
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0216E199		0_2_0216E199

Contains functionality to call native functions

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Code function: 0_2_0216D885 NtAllocateVirtualMemory,

0_2_0216D885

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Process Stats: CPU usage > 98%

Sample is known by Antivirus

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Virustotal: Detection: 53%
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	ReversingLabs: Detection: 48%

PE file has an executable .text section and no other executable section

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

File created: C:\Users\user\AppData\Local\Temp\~DF23DE6D885E469C5F.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00406C05 push esi; retf		0_2_00406C06
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_004084FF push edi; iretd		0_2_0040850A
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0040B96F push eax; retf		0_2_0040B977
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_004091F4 push ds; retf		0_2_004091F5
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00403999 push 00000027h; iretd		0_2_00403A72
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00404E0F push eax; retf		0_2_00404E41
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00404A2F push ebp; iretd		0_2_00404A51
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_00403AC3 push 00000027h; iretd		0_2_00403A72
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0216310B push es; ret		0_2_0216310C

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

RDTSC instruction interceptor: First address: 000000000216C8E2 second address: 000000000216C8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7B963D66h 0x00000007 xor eax, 1197335Eh 0x0000000c xor eax, 8E98B3CDh 0x00000011 add eax, 1B66420Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1AA4D4E17Fh 0x0000001e lfence 0x00000021 mov edx, 039CDF59h 0x00000026 xor edx, 6761231Bh 0x0000002c add edx, BDE9AE69h 0x00000032 xor edx, 5D19AABFh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A9h], 42AF7243h 0x0000004f xor dword ptr [ebp+000001A9h], 94D84AF3h 0x00000059 add dword ptr [ebp+000001A9h], EA6232A4h 0x00000063 add dword ptr [ebp+000001A9h], 3F2694ACh 0x0000006d cmp ecx, dword ptr [ebp+000001A9h] 0x00000073 jne 00007F1AA4D4E05Ah 0x00000075 mov dword ptr [ebp+0000024Fh], edi 0x0000007b mov edi, ecx 0x0000007d push edi 0x0000007e mov edi, dword ptr [ebp+0000024Fh] 0x00000084 call 00007F1AA4D4E1DDh 0x00000089 call 00007F1AA4D4E1A0h 0x0000008e lfence 0x00000091 mov edx, 039CDF59h 0x00000096 xor edx, 6761231Bh 0x0000009c add edx, BDE9AE69h 0x000000a2 xor edx, 5D19AABFh 0x000000a8 mov edx, dword ptr [edx] 0x000000aa lfence 0x000000ad ret 0x000000ae mov esi, edx 0x000000b0 pushad 0x000000b1 rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Code function: 0_2_0216CFD0 rdtsc

0_2_0216CFD0

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02172648 mov eax, dword ptr fs:[00000030h]		0_2_02172648
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_02174BFA mov eax, dword ptr fs:[00000030h]		0_2_02174BFA
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0217309A mov eax, dword ptr fs:[00000030h]		0_2_0217309A
Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Code function: 0_2_0216C560 mov eax, dword ptr fs:[00000030h]		0_2_0216C560

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Code function: 0_2_0216CFD0 rdtsc

0_2_0216CFD0

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Code function: 0_2_02176965 RtlAddVectoredExceptionHandler,

0_2_02176965

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock