Windows Analysis Report Transferencia_29_11_2021 17.03.39.exe

Overview

General Information

Sample Name:	Transferencia_29_11_2021 17.03.39.exe
Analysis ID:	532136
MD5:	a70cf8fdf5c68e414bad4494a44f272a
SHA1:	4a974930db625492a8aa3f046759db6f3f057129
SHA256:	dd7883497ba8fc4a8fac606d4f3cec70b6d42c0017e320f9becb071d899c6c30
Tags:	exesigned
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje"}

Compliance:

Uses 32bit PE files

Source: Transferencia_29_11_2021 17.03.39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje

Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Transferencia_29_11_2021 17.03.39.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Transferencia_29_11_2021 17.03.39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE / OLE file has an invalid certificate

Source: Transferencia_29_11_2021 17.03.39.exe

Static PE information: invalid certificate

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD800 NtAllocateVirtualMemory,		0_2_020FD800
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD025 NtAllocateVirtualMemory,		0_2_020FD025

Sample file is different than original file name gathered from version info

Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.883074798.0000000002AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameoutrunner.exeFE2XU vs Transferencia_29_11_2021 17.03.39.exe
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000000.357361914.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe
Source: Transferencia_29_11_2021 17.03.39.exe	Binary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe

PE file contains strange resources

Source: Transferencia_29_11_2021 17.03.39.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_02106751	0_2_02106751
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD800	0_2_020FD800
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD2A9	0_2_020FD2A9
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020F177F	0_2_020F177F
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_02104B64	0_2_02104B64
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020F97F8	0_2_020F97F8
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD025	0_2_020FD025
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_021048F5	0_2_021048F5
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_021035B4	0_2_021035B4
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FE1A3	0_2_020FE1A3

Source: Transferencia_29_11_2021 17.03.39.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.rans.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_00404857 push cs; ret	0_2_00404858
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_00405D21 push E5BAE958h; ret	0_2_00405D26
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FD800 push ds; iretd	0_2_020FE17E
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020F0A0B push es; retf 29E3h	0_2_020FFBC8
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020F4170 push ds; iretd	0_2_020F4171

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Code function: 0_2_020FCF30 rdtsc

0_2_020FCF30

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_02104B64 mov eax, dword ptr fs:[00000030h]	0_2_02104B64
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_021027CD mov eax, dword ptr fs:[00000030h]	0_2_021027CD
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_020FC46B mov eax, dword ptr fs:[00000030h]	0_2_020FC46B
Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe	Code function: 0_2_02103111 mov eax, dword ptr fs:[00000030h]	0_2_02103111

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Code function: 0_2_020FCF30 rdtsc

0_2_020FCF30

Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe

Code function: 0_2_02106751 RtlAddVectoredExceptionHandler,

0_2_02106751

Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	532136
Product:	CloudBasic
Start time:	18:59:22
Start date:	01.12.2021
Sample:	Transferencia_29_11_2021 17.03.39.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a70cf8fdf5c68e414bad4494a44f272a
SHA1:	4a974930db625492a8aa3f046759db6f3f057129
SHA256:	dd7883497ba8fc4a8fac606d4f3cec70b6d42c0017e320f9becb071d899c6c30
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report Transferencia_29_11_2021 17.03.39.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map