Windows Analysis Report SWIFT_ACK-89813.02.exe

Overview

General Information

Sample Name: SWIFT_ACK-89813.02.exe
Analysis ID: 539387
MD5: 2f19182da895afc914c7b9851a4f2d49
SHA1: 7d111bd6284cdd87498e72d90a595aea9fc35d5d
SHA256: 24d5129d6ecbe5ba5e88077d1207bc09fc68d076dea00892bc614a267f9f0b1b
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expor"}

Compliance:

barindex
Uses 32bit PE files
Source: SWIFT_ACK-89813.02.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?expor

System Summary:

barindex
Uses 32bit PE files
Source: SWIFT_ACK-89813.02.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F83D2 NtAllocateVirtualMemory, 0_2_023F83D2
Sample file is different than original file name gathered from version info
Source: SWIFT_ACK-89813.02.exe, 00000000.00000000.293724818.000000000042B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824752496.00000000022E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameerst.exeFE2X vs SWIFT_ACK-89813.02.exe
Source: SWIFT_ACK-89813.02.exe Binary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe
PE file contains strange resources
Source: SWIFT_ACK-89813.02.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F83D2 0_2_023F83D2
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023FD477 0_2_023FD477
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F023A 0_2_023F023A
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F7AB2 0_2_023F7AB2
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F730C 0_2_023F730C
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F575A 0_2_023F575A
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023FBF90 0_2_023FBF90
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023FBB83 0_2_023FBB83
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F5D96 0_2_023F5D96
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F5989 0_2_023F5989
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe File created: C:\Users\user\AppData\Local\Temp\~DFA1C4850DA9C6EF9A.TMP Jump to behavior
Source: SWIFT_ACK-89813.02.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal60.troj.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00406901 push ds; ret 0_2_00406902
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00409518 push ebx; iretd 0_2_00409519
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00407D81 push edx; ret 0_2_00407D8D
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00407999 push ebx; iretd 0_2_0040799D
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00406DAE push ebp; ret 0_2_00406DB5
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_004055BC push ds; ret 0_2_004055D6
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_0040A644 push cs; iretd 0_2_0040A650
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00405EC9 push cs; ret 0_2_00405F04
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_0040828C push eax; iretd 0_2_004082D1
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_00406FE2 push ebx; iretd 0_2_00407075
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F1E08 push ss; retf 0_2_023F1E0E
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F3394 pushad ; retn 0004h 0_2_023F33CF
Source: initial sample Static PE information: section name: .text entropy: 7.1391806469
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F7F96 rdtsc 0_2_023F7F96

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023FB23E mov eax, dword ptr fs:[00000030h] 0_2_023FB23E
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F797D mov eax, dword ptr fs:[00000030h] 0_2_023F797D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023F7F96 rdtsc 0_2_023F7F96
Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe Code function: 0_2_023FD477 RtlAddVectoredExceptionHandler, 0_2_023FD477
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock