Windows Analysis Report Confirming - Aviso de pago.exe

Overview

General Information

Sample Name: Confirming - Aviso de pago.exe
Analysis ID: 531043
MD5: 660a906018931ad7d39aaaf72b0b8e58
SHA1: adc917568cdfb8dea81c2f5793f69720609ee086
SHA256: 520c53fa3cc5121f1a8ab6600e9ee4cbe40d0f61712a4fc062c9db02953f5420
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download"}

Compliance:

barindex
Uses 32bit PE files
Source: Confirming - Aviso de pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192776677.000000000064A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Confirming - Aviso de pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGrammatikklassen.exe vs Confirming - Aviso de pago.exe
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1193046924.0000000002AC0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGrammatikklassen.exeFE2X vs Confirming - Aviso de pago.exe
Source: Confirming - Aviso de pago.exe Binary or memory string: OriginalFilenameGrammatikklassen.exe vs Confirming - Aviso de pago.exe
PE file contains strange resources
Source: Confirming - Aviso de pago.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_0222D427 0_2_0222D427
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_0222E224 0_2_0222E224
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02234ACC 0_2_02234ACC
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02228FA3 0_2_02228FA3
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe File created: C:\Users\user\AppData\Local\Temp\~DF90AE401F15B67D78.TMP Jump to behavior
Source: Confirming - Aviso de pago.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal60.troj.winEXE@2/1@0/0
Source: unknown Process created: C:\Users\user\Desktop\Confirming - Aviso de pago.exe "C:\Users\user\Desktop\Confirming - Aviso de pago.exe"
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_004048D5 pushfd ; retf 0_2_004048D7
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_00408774 push ebx; iretd 0_2_00408782
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_00408706 push ebx; iretd 0_2_00408782
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02221E64 push es; ret 0_2_02221E65
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02223D2B push 4B5B5F30h; iretd 0_2_02223D4C
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02223D7D push 4B5B5F30h; iretd 0_2_02223D4C
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_0222CA40 rdtsc 0_2_0222CA40

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02233034 mov eax, dword ptr fs:[00000030h] 0_2_02233034
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_0222C67F mov eax, dword ptr fs:[00000030h] 0_2_0222C67F
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02234ACC mov eax, dword ptr fs:[00000030h] 0_2_02234ACC
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_02232727 mov eax, dword ptr fs:[00000030h] 0_2_02232727
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe Code function: 0_2_0222CA40 rdtsc 0_2_0222CA40
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531043 Sample: Confirming - Aviso de pago.exe Startdate: 30/11/2021 Architecture: WINDOWS Score: 60 10 Found malware configuration 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 6 Confirming - Aviso de pago.exe 1 2 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos