Windows Analysis Report CI_PL_BL_ 4100675407_xls.exe

Overview

General Information

Sample Name: CI_PL_BL_ 4100675407_xls.exe
Analysis ID: 530857
MD5: 94cb19d0951996cdb8b4cb914248763e
SHA1: fa319fb54dfb0b1f715a19924087cacef22ccbcf
SHA256: 4ff14d83a926458439f039ea2e756a646b2bb63be4fd22ed8559138214efcaf8
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1175743788.00000000021A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin"}
Multi AV Scanner detection for submitted file
Source: CI_PL_BL_ 4100675407_xls.exe ReversingLabs: Detection: 35%

Compliance:

barindex
Uses 32bit PE files
Source: CI_PL_BL_ 4100675407_xls.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin

System Summary:

barindex
Uses 32bit PE files
Source: CI_PL_BL_ 4100675407_xls.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175536540.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe
Source: CI_PL_BL_ 4100675407_xls.exe Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe
PE file contains strange resources
Source: CI_PL_BL_ 4100675407_xls.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021AFF33 0_2_021AFF33
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021B0520 0_2_021B0520
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021AA749 0_2_021AA749
Source: CI_PL_BL_ 4100675407_xls.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe File created: C:\Users\user\AppData\Local\Temp\~DF86C6EDC191096B55.TMP Jump to behavior
Source: CI_PL_BL_ 4100675407_xls.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1175743788.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_004074C8 push 713BC6CEh; iretd 0_2_004074D6
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_00406CDB push esi; ret 0_2_00406CDC
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_004095C1 push 74E4E9CEh; iretd 0_2_004095C6
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_00407DA1 push E5AD70CEh; retf 0_2_00407DA6
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_0040966A pushad ; iretd 0_2_0040979D
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_00405E18 push eax; retf 0_2_00405E19
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_00407A19 push ADDCA7CEh; iretd 0_2_00407A1E
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_0040968D pushad ; iretd 0_2_0040979D
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021A2807 push FFFFFFABh; ret 0_2_021A2879
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021A282C push FFFFFFABh; ret 0_2_021A2879
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021A4E4E push es; iretd 0_2_021A4E4F
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021A54AB push cs; iretd 0_2_021A54F8
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021A5396 push edi; ret 0_2_021A5397
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021B0A39 rdtsc 0_2_021B0A39

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021AF77C mov eax, dword ptr fs:[00000030h] 0_2_021AF77C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe Code function: 0_2_021B0A39 rdtsc 0_2_021B0A39
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: CI_PL_BL_ 4100675407_xls.exe, 00000000.00000002.1175637395.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530857 Sample: CI_PL_BL_ 4100675407_xls.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 72 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 2 other signatures 2->13 5 CI_PL_BL_ 4100675407_xls.exe 1 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin true
  • Avira URL Cloud: safe
 unknown