Loading ...

Play interactive tourEdit tour

Windows Analysis Report SWIFT_ACK-89813.02.exe

Overview

General Information

Sample Name:SWIFT_ACK-89813.02.exe
Analysis ID:539387
MD5:2f19182da895afc914c7b9851a4f2d49
SHA1:7d111bd6284cdd87498e72d90a595aea9fc35d5d
SHA256:24d5129d6ecbe5ba5e88077d1207bc09fc68d076dea00892bc614a267f9f0b1b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • SWIFT_ACK-89813.02.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\SWIFT_ACK-89813.02.exe" MD5: 2F19182DA895AFC914C7B9851A4F2D49)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?expor"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expor"}
    Source: SWIFT_ACK-89813.02.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?expor
    Source: SWIFT_ACK-89813.02.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F83D2 NtAllocateVirtualMemory,0_2_023F83D2
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000000.293724818.000000000042B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824752496.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameerst.exeFE2X vs SWIFT_ACK-89813.02.exe
    Source: SWIFT_ACK-89813.02.exeBinary or memory string: OriginalFilenameerst.exe vs SWIFT_ACK-89813.02.exe
    Source: SWIFT_ACK-89813.02.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F83D20_2_023F83D2
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023FD4770_2_023FD477
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F023A0_2_023F023A
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F7AB20_2_023F7AB2
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F730C0_2_023F730C
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F575A0_2_023F575A
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023FBF900_2_023FBF90
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023FBB830_2_023FBB83
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F5D960_2_023F5D96
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F59890_2_023F5989
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA1C4850DA9C6EF9A.TMPJump to behavior
    Source: SWIFT_ACK-89813.02.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal60.troj.winEXE@1/1@0/0
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.824783872.00000000023F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00406901 push ds; ret 0_2_00406902
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00409518 push ebx; iretd 0_2_00409519
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00407D81 push edx; ret 0_2_00407D8D
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00407999 push ebx; iretd 0_2_0040799D
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00406DAE push ebp; ret 0_2_00406DB5
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_004055BC push ds; ret 0_2_004055D6
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_0040A644 push cs; iretd 0_2_0040A650
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00405EC9 push cs; ret 0_2_00405F04
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_0040828C push eax; iretd 0_2_004082D1
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_00406FE2 push ebx; iretd 0_2_00407075
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F1E08 push ss; retf 0_2_023F1E0E
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F3394 pushad ; retn 0004h0_2_023F33CF
    Source: initial sampleStatic PE information: section name: .text entropy: 7.1391806469
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F7F96 rdtsc 0_2_023F7F96
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023FB23E mov eax, dword ptr fs:[00000030h]0_2_023FB23E
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F797D mov eax, dword ptr fs:[00000030h]0_2_023F797D
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023F7F96 rdtsc 0_2_023F7F96
    Source: C:\Users\user\Desktop\SWIFT_ACK-89813.02.exeCode function: 0_2_023FD477 RtlAddVectoredExceptionHandler,0_2_023FD477
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: SWIFT_ACK-89813.02.exe, 00000000.00000002.824477565.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Software Packing1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.