Windows Analysis Report FAKTURA 9502461485.exe

ID:	530352
Product:	CloudBasic
Start time:	14:11:07
Start date:	29.11.2021
Sample:	FAKTURA 9502461485.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	34ae2e779e3b63f6450aacbaa6b5ab1d
SHA1:	0f7dc13bf5871f3ba281e064776371520b65bdd9
SHA256:	5bf5fa8d817fb2902dc28de115286e963b6dd4f5940d00e017b9944172972b25
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\~DFA25EEA5CBC5E729F.TMP	Composite Document File V2 Document, Cannot read section info	A256BBA112F7FA34FE9E19ED07D0DF83	3E86ADD7C0890C55E8F22334A3E26134D7AB1EE8	AB9F6744C55428A62F4696BC1779409A30420D0983EDD5536A0D280DF5EE7FE0

AV Detection:

Found malware configuration

Source: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfUz"}

Multi AV Scanner detection for submitted file

Source: FAKTURA 9502461485.exe

ReversingLabs: Detection: 26%

Compliance:

Uses 32bit PE files

Source: FAKTURA 9502461485.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfUz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: FAKTURA 9502461485.exe, 00000000.00000002.1191484117.000000000070A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: FAKTURA 9502461485.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: FAKTURA 9502461485.exe, 00000000.00000000.664593381.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAfterpains9.exe vs FAKTURA 9502461485.exe
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191798592.0000000002380000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAfterpains9.exeFE2X vs FAKTURA 9502461485.exe
Source: FAKTURA 9502461485.exe	Binary or memory string: OriginalFilenameAfterpains9.exe vs FAKTURA 9502461485.exe

PE file contains strange resources

Source: FAKTURA 9502461485.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C6B79		0_2_022C6B79
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022BDC30		0_2_022BDC30
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C3719		0_2_022C3719
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C4BA5		0_2_022C4BA5
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C4413		0_2_022C4413

Contains functionality to call native functions

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Code function: 0_2_022BDC30 NtAllocateVirtualMemory,

0_2_022BDC30

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Process Stats: CPU usage > 98%

Sample is known by Antivirus

Source: FAKTURA 9502461485.exe

ReversingLabs: Detection: 26%

PE file has an executable .text section and no other executable section

Source: FAKTURA 9502461485.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\FAKTURA 9502461485.exe "C:\Users\user\Desktop\FAKTURA 9502461485.exe"
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA25EEA5CBC5E729F.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/1@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00406D41 push ss; retf		0_2_00406D6D
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00409164 push 8069A23Bh; retf		0_2_00409169
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00406B87 push ebp; ret		0_2_00406BBB
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B235C push ebx; ret		0_2_022B235E
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B17DD pushfd ; retf		0_2_022B17E7
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B594E push ecx; iretd		0_2_022B5978

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

RDTSC instruction interceptor: First address: 00000000022BCC99 second address: 00000000022BCC99 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5DB00295h 0x00000007 xor eax, DFA6B599h 0x0000000c xor eax, 58BD59D9h 0x00000011 sub eax, DAABEED4h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1FC084C9C8h 0x0000001e lfence 0x00000021 mov edx, F98EF895h 0x00000026 xor edx, 7569717Eh 0x0000002c add edx, 1104375Ah 0x00000032 xor edx, E215C151h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001F1h], DD8CFFEBh 0x0000004f xor dword ptr [ebp+000001F1h], 1BBB3DA6h 0x00000059 xor dword ptr [ebp+000001F1h], A8C93992h 0x00000063 jmp 00007F1FC084CA99h 0x00000068 cmp cx, bx 0x0000006b sub dword ptr [ebp+000001F1h], 6EFEFBDFh 0x00000075 cmp ecx, dword ptr [ebp+000001F1h] 0x0000007b jne 00007F1FC084C891h 0x00000081 cmp esi, 739A0701h 0x00000087 mov dword ptr [ebp+00000205h], edx 0x0000008d test cx, ax 0x00000090 mov edx, ecx 0x00000092 push edx 0x00000093 mov edx, dword ptr [ebp+00000205h] 0x00000099 cmp ax, 00002609h 0x0000009d call 00007F1FC084CB1Bh 0x000000a2 call 00007F1FC084C9E9h 0x000000a7 lfence 0x000000aa mov edx, F98EF895h 0x000000af xor edx, 7569717Eh 0x000000b5 add edx, 1104375Ah 0x000000bb xor edx, E215C151h 0x000000c1 mov edx, dword ptr [edx] 0x000000c3 lfence 0x000000c6 ret 0x000000c7 mov esi, edx 0x000000c9 pushad 0x000000ca rdtsc

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C334E mov eax, dword ptr fs:[00000030h]		0_2_022C334E
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C2989 mov eax, dword ptr fs:[00000030h]		0_2_022C2989

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Code function: 0_2_022C6B79 RtlAddVectoredExceptionHandler,

0_2_022C6B79

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock