Windows Analysis Report DHL Express shipment notification.exe

Overview

General Information

Sample Name: DHL Express shipment notification.exe
Analysis ID: 532143
MD5: 26e034a56f86ed41cb3e869095ec73b7
SHA1: a74551ce377aadbaae0b31b54b2536daaa832754
SHA256: 60ab75a94e04aa5dfab1a68da060a817e9f5ccb79f8a93d0c3dbfe47cb526b7d
Tags: DHLexeGuLoadersigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo8"}
Multi AV Scanner detection for submitted file
Source: DHL Express shipment notification.exe Virustotal: Detection: 25% Perma Link
Source: DHL Express shipment notification.exe ReversingLabs: Detection: 11%

Compliance:

barindex
Uses 32bit PE files
Source: DHL Express shipment notification.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downlo8
Source: DHL Express shipment notification.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL Express shipment notification.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL Express shipment notification.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DHL Express shipment notification.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL Express shipment notification.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL Express shipment notification.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL Express shipment notification.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL Express shipment notification.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: DHL Express shipment notification.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: DHL Express shipment notification.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: DHL Express shipment notification.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: DHL Express shipment notification.exe, 00000000.00000002.778676915.00000000020D0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSlesk8.exeFE2XW vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
PE file contains strange resources
Source: DHL Express shipment notification.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E6860 0_2_021E6860
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021DAA34 0_2_021DAA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021DDFFD 0_2_021DDFFD
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E39E4 0_2_021E39E4
PE / OLE file has an invalid certificate
Source: DHL Express shipment notification.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Process Stats: CPU usage > 98%
Source: DHL Express shipment notification.exe Virustotal: Detection: 25%
Source: DHL Express shipment notification.exe ReversingLabs: Detection: 11%
Source: DHL Express shipment notification.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 Jump to behavior
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_00406464 push edx; iretd 0_2_0040647C
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_0040A07F push ds; iretd 0_2_0040A095
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_004070A2 push 3E0AA415h; retf 0_2_004070B7
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_00403976 pushfd ; ret 0_2_0040398B
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021D26FB push eax; iretd 0_2_021D26FC
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021D4C6D push eax; iretd 0_2_021D4C6F
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe RDTSC instruction interceptor: First address: 00000000021E3495 second address: 00000000021E3495 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 36E14280h 0x00000007 xor eax, 7FA3071Ah 0x0000000c sub eax, F9689012h 0x00000011 sub eax, 4FD9B587h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F51E8F968F7h 0x0000001e lfence 0x00000021 mov edx, E407433Dh 0x00000026 add edx, 04D23EBAh 0x0000002c add edx, 3E86FD7Bh 0x00000032 xor edx, 589E7F66h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007F51E8F968DDh 0x00000042 test cl, al 0x00000044 cmp al, 3Fh 0x00000046 test ch, ah 0x00000048 ret 0x00000049 jmp 00007F51E8F968E9h 0x0000004e test ebx, 2244023Eh 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 add edi, edx 0x00000059 dec dword ptr [ebp+000000F8h] 0x0000005f test ecx, ebx 0x00000061 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000068 jne 00007F51E8F967FAh 0x0000006a call 00007F51E8F96861h 0x0000006f call 00007F51E8F96918h 0x00000074 lfence 0x00000077 mov edx, E407433Dh 0x0000007c add edx, 04D23EBAh 0x00000082 add edx, 3E86FD7Bh 0x00000088 xor edx, 589E7F66h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 jmp 00007F51E8F968DDh 0x00000098 test cl, al 0x0000009a cmp al, 3Fh 0x0000009c test ch, ah 0x0000009e ret 0x0000009f mov esi, edx 0x000000a1 pushad 0x000000a2 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E3692 rdtsc 0_2_021E3692

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E1E86 mov eax, dword ptr fs:[00000030h] 0_2_021E1E86
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E2A85 mov eax, dword ptr fs:[00000030h] 0_2_021E2A85
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021DCF89 mov eax, dword ptr fs:[00000030h] 0_2_021DCF89
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E3692 rdtsc 0_2_021E3692
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe Code function: 0_2_021E6860 RtlAddVectoredExceptionHandler, 0_2_021E6860
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532143 Sample: DHL Express shipment notifi... Startdate: 01/12/2021 Architecture: WINDOWS Score: 80 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 3 other signatures 2->13 5 DHL Express shipment notification.exe 1 2 2->5         started        process3
No contacted IP infos