Windows Analysis Report 20211129.exe

Overview

General Information

Sample Name: 20211129.exe
Analysis ID: 532897
MD5: 672587fb175264ef8b45a2b0857f273f
SHA1: ab7c2f5edf572d5b28d7da50f548d73d49f92b71
SHA256: c00b66ef61df2012b269bca3e60b301478641292948f1cac579096603ad67f98
Tags: exeguloadersigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=down"}
Multi AV Scanner detection for submitted file
Source: 20211129.exe Virustotal: Detection: 36% Perma Link
Source: 20211129.exe Metadefender: Detection: 21% Perma Link
Source: 20211129.exe ReversingLabs: Detection: 51%

Compliance:

barindex
Uses 32bit PE files
Source: 20211129.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=down
Source: 20211129.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 20211129.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 20211129.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 20211129.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 20211129.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 20211129.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 20211129.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 20211129.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: 20211129.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 20211129.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: 20211129.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: 20211129.exe, 00000000.00000002.776768786.0000000002A40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenametofrontskrig.exeFE2XK vs 20211129.exe
Source: 20211129.exe, 00000000.00000000.245587033.0000000000425000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe
Source: 20211129.exe Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe
PE file contains strange resources
Source: 20211129.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02236BAF 0_2_02236BAF
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222D9D3 0_2_0222D9D3
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222BC7B 0_2_0222BC7B
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222E24E 0_2_0222E24E
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222525E 0_2_0222525E
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022336B9 0_2_022336B9
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02234E85 0_2_02234E85
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022332ED 0_2_022332ED
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022252EC 0_2_022252EC
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222D568 0_2_0222D568
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222C18D 0_2_0222C18D
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022205CC 0_2_022205CC
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022343CC 0_2_022343CC
PE / OLE file has an invalid certificate
Source: 20211129.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222D9D3 NtAllocateVirtualMemory, 0_2_0222D9D3
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\20211129.exe Process Stats: CPU usage > 98%
Source: 20211129.exe Virustotal: Detection: 36%
Source: 20211129.exe Metadefender: Detection: 21%
Source: 20211129.exe ReversingLabs: Detection: 51%
Source: 20211129.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\20211129.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372 Jump to behavior
Source: classification engine Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0040C11C pushfd ; iretd 0_2_0040C120
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02222623 push FFFFFF81h; ret 0_2_0222262F
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02225E26 push esp; iretd 0_2_02225E28
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02222231 push ebx; retf 0_2_022222A6
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02220039 pushfd ; retf 0_2_02220050
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02220C65 pushfd ; iretd 0_2_02220C68
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02220052 pushfd ; retf 0_2_02220050
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02220052 pushfd ; retf 0_2_022200B3
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222D2C5 push ecx; retf 0_2_0222D7DD
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02224BBD push ss; ret 0_2_02224BBE
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02221B91 pushfd ; ret 0_2_02221B95
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02222DCC push edi; iretd 0_2_02222DCD
Source: C:\Users\user\Desktop\20211129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\20211129.exe RDTSC instruction interceptor: First address: 000000000222CB10 second address: 000000000222CB10 instructions: 0x00000000 rdtsc 0x00000002 mov eax, C59FC429h 0x00000007 sub eax, C4E79C3Eh 0x0000000c add eax, 320FDAB5h 0x00000011 sub eax, 32C8029Fh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F487CD844D4h 0x0000001e lfence 0x00000021 mov edx, D1AF9544h 0x00000026 xor edx, 9043EC23h 0x0000002c sub edx, FB2A8C3Dh 0x00000032 xor edx, 393FED3Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+0000020Ch], ecx 0x0000004b mov ecx, A02E6A25h 0x00000050 add ecx, 63038538h 0x00000056 xor ecx, 9592C6BAh 0x0000005c xor ecx, 96A329E7h 0x00000062 cmp dword ptr [ebp+0000020Ch], ecx 0x00000068 mov ecx, dword ptr [ebp+0000020Ch] 0x0000006e jne 00007F487CD843BFh 0x00000070 mov dword ptr [ebp+00000231h], eax 0x00000076 mov eax, ecx 0x00000078 push eax 0x00000079 mov eax, dword ptr [ebp+00000231h] 0x0000007f call 00007F487CD845FBh 0x00000084 call 00007F487CD844F5h 0x00000089 lfence 0x0000008c mov edx, D1AF9544h 0x00000091 xor edx, 9043EC23h 0x00000097 sub edx, FB2A8C3Dh 0x0000009d xor edx, 393FED3Eh 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 ret 0x000000a9 mov esi, edx 0x000000ab pushad 0x000000ac rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222CB08 rdtsc 0_2_0222CB08

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02234E85 mov eax, dword ptr fs:[00000030h] 0_2_02234E85
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_022332ED mov eax, dword ptr fs:[00000030h] 0_2_022332ED
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222C77D mov eax, dword ptr fs:[00000030h] 0_2_0222C77D
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02232985 mov eax, dword ptr fs:[00000030h] 0_2_02232985
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_0222CB08 rdtsc 0_2_0222CB08
Source: C:\Users\user\Desktop\20211129.exe Code function: 0_2_02236BAF RtlAddVectoredExceptionHandler, 0_2_02236BAF
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532897 Sample: 20211129.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 8 Potential malicious icon found 2->8 10 Found malware configuration 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 2 other signatures 2->14 5 20211129.exe 1 2 2->5         started        process3 signatures4 16 Tries to detect virtualization through RDTSC time measurements 5->16
No contacted IP infos