Windows Analysis Report draft_inv dec21.exe

Overview

General Information

Sample Name: draft_inv dec21.exe
Analysis ID: 531747
MD5: 89a584acaeb2f9e8baf46714eb7d3550
SHA1: 263ff0b238d57cfc30492f8801530b9986dcae38
SHA256: 59ae017767f6a56eba79abdad1343cba3643744f4668b320c30fda283abdedf2
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1200998777.0000000002CA0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin"}
Multi AV Scanner detection for submitted file
Source: draft_inv dec21.exe Metadefender: Detection: 20% Perma Link
Source: draft_inv dec21.exe ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: draft_inv dec21.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin

System Summary:

barindex
Uses 32bit PE files
Source: draft_inv dec21.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: draft_inv dec21.exe, 00000000.00000000.674652784.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000000.00000002.1200866367.0000000002980000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameprajesselv.exeFE2XCx Frak vs draft_inv dec21.exe
Source: draft_inv dec21.exe Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
PE file contains strange resources
Source: draft_inv dec21.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CB02FD 0_2_02CB02FD
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process Stats: CPU usage > 98%
Source: draft_inv dec21.exe Metadefender: Detection: 20%
Source: draft_inv dec21.exe ReversingLabs: Detection: 17%
Source: draft_inv dec21.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\draft_inv dec21.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe File created: C:\Users\user\AppData\Local\Temp\~DF91089FF9233BF8CB.TMP Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1200998777.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_0040846A push ds; retf 0_2_00408472
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_00407608 push ebx; iretd 0_2_00407609
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_00405C16 push ss; iretd 0_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_004094E5 push esi; iretd 0_2_004094E7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_00405B7D push ss; iretd 0_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_00407F07 push ebp; retf 0_2_00407F0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_00408119 push ebx; iretd 0_2_0040811B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA5A84 push edi; ret 0_2_02CA5A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA084B push ss; retf 0_2_02CA0852
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA5A48 push edi; ret 0_2_02CA5A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA0BC1 push FFB8EB81h; ret 0_2_02CA0BC6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA399C push esp; ret 0_2_02CA39EF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CA2B3A push cs; iretd 0_2_02CA2B3F

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CB08D3 rdtsc 0_2_02CB08D3

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CAF610 mov eax, dword ptr fs:[00000030h] 0_2_02CAF610
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CAC50C mov eax, dword ptr fs:[00000030h] 0_2_02CAC50C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 0_2_02CB08D3 rdtsc 0_2_02CB08D3
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: draft_inv dec21.exe, 00000000.00000002.1200704632.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531747 Sample: draft_inv dec21.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 72 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 2 other signatures 2->13 5 draft_inv dec21.exe 1 2->5         started        process3
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin true
  • Avira URL Cloud: safe
 unknown