Windows Analysis Report Scanned Payment Copy00024.scr.exe

Overview

General Information

Sample Name: Scanned Payment Copy00024.scr.exe
Analysis ID: 530423
MD5: 9ebaab853c410a3c6ef16ecf45739e8b
SHA1: 67c221c5f1329829d7a808791dc030bf1288d2d7
SHA256: b24869692ba4efa8bb957cb2334ac798b570277c038db867db5a177a0e9a54ec
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expo"}
Multi AV Scanner detection for submitted file
Source: Scanned Payment Copy00024.scr.exe ReversingLabs: Detection: 33%

Compliance:

barindex
Uses 32bit PE files
Source: Scanned Payment Copy00024.scr.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?expo

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Scanned Payment Copy00024.scr.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Scanned Payment Copy00024.scr.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Scanned Payment Copy00024.scr.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDybblsbro.exe vs Scanned Payment Copy00024.scr.exe
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870541474.0000000002290000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDybblsbro.exeFE2XCorps vs Scanned Payment Copy00024.scr.exe
Source: Scanned Payment Copy00024.scr.exe Binary or memory string: OriginalFilenameDybblsbro.exe vs Scanned Payment Copy00024.scr.exe
PE file contains strange resources
Source: Scanned Payment Copy00024.scr.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_004047F9 1_2_004047F9
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221DAB3 1_2_0221DAB3
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_022266EC 1_2_022266EC
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02224A6E 1_2_02224A6E
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221086F 1_2_0221086F
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02219887 1_2_02219887
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02218E0F 1_2_02218E0F
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221E45E 1_2_0221E45E
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221DAB3 NtAllocateVirtualMemory, 1_2_0221DAB3
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process Stats: CPU usage > 98%
Source: Scanned Payment Copy00024.scr.exe ReversingLabs: Detection: 33%
Source: Scanned Payment Copy00024.scr.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe "C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe"
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe File created: C:\Users\user\AppData\Local\Temp\~DF25FB0965A4D91BCD.TMP Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@2/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0040756B push 934A6E33h; ret 1_2_00407576
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0040611D push 9754E4D4h; ret 1_2_00406122
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_00409A3E push B1F2CAE9h; ret 1_2_00409A4D
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_00405B8B push cs; retf 1_2_00405B8D
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_022110D0 push FFFFFFE3h; retf 1_2_02211076
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02210F94 push FFFFFFE3h; retf 1_2_02211076
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe RDTSC instruction interceptor: First address: 000000000221CC1F second address: 000000000221CC1F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 297B4CD4h 0x00000007 add eax, 19FA60E4h 0x0000000c xor eax, 387E9150h 0x00000011 add eax, 84F4C319h 0x00000016 cpuid 0x00000018 cmp ax, bx 0x0000001b popad 0x0000001c call 00007F2E4C3945B7h 0x00000021 lfence 0x00000024 mov edx, F9458F60h 0x00000029 xor edx, 26C12333h 0x0000002f xor edx, 42BBF15Ah 0x00000035 xor edx, E2C15D1Dh 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 ret 0x00000041 jmp 00007F2E4C3945ADh 0x00000046 cmp eax, ebx 0x00000048 sub edx, esi 0x0000004a ret 0x0000004b pop ecx 0x0000004c add edi, edx 0x0000004e dec ecx 0x0000004f mov dword ptr [ebp+00000177h], 07A58850h 0x00000059 xor dword ptr [ebp+00000177h], 9F18B554h 0x00000063 sub dword ptr [ebp+00000177h], D1AEA487h 0x0000006d test bx, cx 0x00000070 add dword ptr [ebp+00000177h], 38F16783h 0x0000007a test dl, bl 0x0000007c cmp ecx, dword ptr [ebp+00000177h] 0x00000082 jne 00007F2E4C3944A5h 0x00000084 mov dword ptr [ebp+000001B9h], eax 0x0000008a mov eax, ecx 0x0000008c push eax 0x0000008d mov eax, dword ptr [ebp+000001B9h] 0x00000093 call 00007F2E4C394625h 0x00000098 call 00007F2E4C3945DBh 0x0000009d lfence 0x000000a0 mov edx, F9458F60h 0x000000a5 xor edx, 26C12333h 0x000000ab xor edx, 42BBF15Ah 0x000000b1 xor edx, E2C15D1Dh 0x000000b7 mov edx, dword ptr [edx] 0x000000b9 lfence 0x000000bc ret 0x000000bd mov esi, edx 0x000000bf pushad 0x000000c0 rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221D12A rdtsc 1_2_0221D12A

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02224A6E mov eax, dword ptr fs:[00000030h] 1_2_02224A6E
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221C8A3 mov eax, dword ptr fs:[00000030h] 1_2_0221C8A3
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_022226C0 mov eax, dword ptr fs:[00000030h] 1_2_022226C0
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_02222FB6 mov eax, dword ptr fs:[00000030h] 1_2_02222FB6
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_0221D12A rdtsc 1_2_0221D12A
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe Code function: 1_2_022266EC RtlAddVectoredExceptionHandler, 1_2_022266EC
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530423 Sample: Scanned Payment Copy00024.scr.exe Startdate: 29/11/2021 Architecture: WINDOWS Score: 80 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected GuLoader 2->14 16 4 other signatures 2->16 6 Scanned Payment Copy00024.scr.exe 1 2 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos