Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name: FACTURAS.exe
Analysis ID: 531838
MD5: ab82f374210a08b2221d5e1807400a32
SHA1: 6a56b81549185015743deaa196996f73787c5c7d
SHA256: ab41887e471ac822f1240bf554098fa042910f1c7ac2f9e390081829515bc2fa
Tags: exesigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=11UpsPasq_HHoJ"}
Multi AV Scanner detection for submitted file
Source: FACTURAS.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=11UpsPasq_HHoJ
Source: FACTURAS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FACTURAS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FACTURAS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FACTURAS.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FACTURAS.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FACTURAS.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FACTURAS.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: FACTURAS.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: FACTURAS.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: FACTURAS.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE / OLE file has an invalid certificate
Source: FACTURAS.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: FACTURAS.exe, 00000000.00000000.290801203.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefilterhjdens.exe vs FACTURAS.exe
Source: FACTURAS.exe, 00000000.00000002.820596620.0000000002800000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamefilterhjdens.exeFE2XK vs FACTURAS.exe
Source: FACTURAS.exe Binary or memory string: OriginalFilenamefilterhjdens.exe vs FACTURAS.exe
PE file contains strange resources
Source: FACTURAS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FACTURAS.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00403540 0_2_00403540
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A8CC26 0_2_02A8CC26
Source: FACTURAS.exe ReversingLabs: Detection: 13%
Source: FACTURAS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURAS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal76.rans.troj.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\FACTURAS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040A86B push ebx; retf 0_2_0040A86D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040A00A push EDF1CA21h; ret 0_2_0040A010
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00409212 push ecx; retf 0_2_0040922A
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00404AC6 push ebp; ret 0_2_00404AC7
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00404AD5 push cs; iretd 0_2_00404AD8
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040A2B2 push ss; retf 0_2_0040A2B4
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00406DF9 push edi; iretd 0_2_00406DFA
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A871D6 push eax; ret 0_2_02A871D5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A87176 push eax; ret 0_2_02A871D5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A81A64 push eax; retf 0_2_02A81A71
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A8D105 rdtsc 0_2_02A8D105

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A930FB mov eax, dword ptr fs:[00000030h] 0_2_02A930FB
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A92703 mov eax, dword ptr fs:[00000030h] 0_2_02A92703
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A8C5E2 mov eax, dword ptr fs:[00000030h] 0_2_02A8C5E2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_02A8D105 rdtsc 0_2_02A8D105
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531838 Sample: FACTURAS.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 76 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 2 other signatures 2->13 5 FACTURAS.exe 1 2 2->5         started        process3
No contacted IP infos