Windows Analysis Report Unpoetical.exe

Overview

General Information

Sample Name: Unpoetical.exe
Analysis ID: 532884
MD5: 72a83ab4f94c308d77e166e299b70420
SHA1: 541adced7fdeaab8977935628ec837a9dbd69e15
SHA256: 5de06140579c23eadb8f4f353255feb83711314b0752ca4fdfdf432d4bbc92c6
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=do"}
Multi AV Scanner detection for submitted file
Source: Unpoetical.exe Virustotal: Detection: 44% Perma Link
Source: Unpoetical.exe ReversingLabs: Detection: 60%

Compliance:

barindex
Uses 32bit PE files
Source: Unpoetical.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=do
Source: Unpoetical.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Unpoetical.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Unpoetical.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Unpoetical.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Unpoetical.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Unpoetical.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Unpoetical.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Unpoetical.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Unpoetical.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Unpoetical.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Unpoetical.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file contains strange resources
Source: Unpoetical.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F6855 0_2_020F6855
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED860 0_2_020ED860
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E168F 0_2_020E168F
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0C6 0_2_020ED0C6
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0DE 0_2_020ED0DE
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020EC130 0_2_020EC130
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E9768 0_2_020E9768
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F4B8C 0_2_020F4B8C
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020EE191 0_2_020EE191
PE / OLE file has an invalid certificate
Source: Unpoetical.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED860 NtAllocateVirtualMemory, 0_2_020ED860
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0C6 NtAllocateVirtualMemory, 0_2_020ED0C6
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0DE NtAllocateVirtualMemory, 0_2_020ED0DE
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Unpoetical.exe Process Stats: CPU usage > 98%
Source: Unpoetical.exe Virustotal: Detection: 44%
Source: Unpoetical.exe ReversingLabs: Detection: 60%
Source: Unpoetical.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Unpoetical.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Unpoetical.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Unpoetical.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Unpoetical.exe File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 Jump to behavior
Source: classification engine Classification label: mal76.rans.troj.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_00404C04 push ebp; retf 0_2_00404C05
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_00404CEF push ebp; iretd 0_2_00404CF5
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_00401CBC push eax; retn 0041h 0_2_00401CBD
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_00407323 push ebp; iretd 0_2_00407365
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_0040732D push ebp; iretd 0_2_00407365
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E201A pushfd ; iretd 0_2_020E2020
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E0E4D push cs; iretd 0_2_020E0E5A
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E0CEE push ecx; ret 0_2_020E0CEF
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020E1F1C pushfd ; iretd 0_2_020E2020
Source: C:\Users\user\Desktop\Unpoetical.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Unpoetical.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Unpoetical.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0B4 rdtsc 0_2_020ED0B4

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020EC607 mov eax, dword ptr fs:[00000030h] 0_2_020EC607
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F2697 mov eax, dword ptr fs:[00000030h] 0_2_020F2697
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F4B8C mov eax, dword ptr fs:[00000030h] 0_2_020F4B8C
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F2FD3 mov eax, dword ptr fs:[00000030h] 0_2_020F2FD3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020ED0B4 rdtsc 0_2_020ED0B4
Source: C:\Users\user\Desktop\Unpoetical.exe Code function: 0_2_020F6855 RtlAddVectoredExceptionHandler, 0_2_020F6855
Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532884 Sample: Unpoetical.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 76 7 Potential malicious icon found 2->7 9 Found malware configuration 2->9 11 Multi AV Scanner detection for submitted file 2->11 13 2 other signatures 2->13 5 Unpoetical.exe 1 2 2->5         started        process3
No contacted IP infos