Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:	FACTURAS.exe
Analysis ID:	539419
MD5:	2332fdde9344114749db5496eef5f5f9
SHA1:	303c40dd112294dc012836be48eb38e8af056432
SHA256:	0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Multi AV Scanner detection for submitted file

Source: FACTURAS.exe	Virustotal: Detection: 40%	Perma Link
Source: FACTURAS.exe	Metadefender: Detection: 38%	Perma Link
Source: FACTURAS.exe	ReversingLabs: Detection: 57%

Compliance:

Uses 32bit PE files

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlD'

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: FACTURAS.exe, 00000000.00000002.860970740.00000000005CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Uses 32bit PE files

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D940 NtAllocateVirtualMemory,	0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB0E NtAllocateVirtualMemory,	0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB52 NtAllocateVirtualMemory,	0_2_0306DB52
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DE06 NtAllocateVirtualMemory,	0_2_0306DE06
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DC8C NtAllocateVirtualMemory,	0_2_0306DC8C

Sample file is different than original file name gathered from version info

Source: FACTURAS.exe, 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
Source: FACTURAS.exe, 00000000.00000002.861579074.0000000002A60000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURALL vs FACTURAS.exe
Source: FACTURAS.exe	Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\FACTURAS.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03076B17	0_2_03076B17
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D940	0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E3A7	0_2_0306E3A7
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A3A0	0_2_0306A3A0
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E3C2	0_2_0306E3C2
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A28E	0_2_0306A28E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030692AF	0_2_030692AF
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030692DA	0_2_030692DA
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A122	0_2_0306A122
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306B1FE	0_2_0306B1FE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306B034	0_2_0306B034
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A0B4	0_2_0306A0B4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A0D5	0_2_0306A0D5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A730	0_2_0306A730
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E75A	0_2_0306E75A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306C76B	0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_030697F8	0_2_030697F8
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E65C	0_2_0306E65C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A6C9	0_2_0306A6C9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306D566	0_2_0306D566
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306957A	0_2_0306957A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074430	0_2_03074430
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069444	0_2_03069444
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A4C0	0_2_0306A4C0
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E4F6	0_2_0306E4F6
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306DB0E	0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074BBF	0_2_03074BBF
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073BCC	0_2_03073BCC
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069A80	0_2_03069A80
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073ABC	0_2_03073ABC
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AAFA	0_2_0306AAFA
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069932	0_2_03069932
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306993C	0_2_0306993C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073994	0_2_03073994
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306A9DE	0_2_0306A9DE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0307382F	0_2_0307382F
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073860	0_2_03073860
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306E8B4	0_2_0306E8B4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306EF04	0_2_0306EF04
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074F2E	0_2_03074F2E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069FA8	0_2_03069FA8
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069E60	0_2_03069E60
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AE9A	0_2_0306AE9A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306EEB4	0_2_0306EEB4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03073D0C	0_2_03073D0C
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306CD2E	0_2_0306CD2E
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AD74	0_2_0306AD74
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069DDE	0_2_03069DDE
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306AC38	0_2_0306AC38
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03069CDB	0_2_03069CDB

Source: FACTURAS.exe	Virustotal: Detection: 40%
Source: FACTURAS.exe	Metadefender: Detection: 38%
Source: FACTURAS.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\FACTURAS.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP

Jump to behavior

Source: FACTURAS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURAS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winEXE@1/2@0/0

Source: C:\Users\user\Desktop\FACTURAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

File created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004098C0 push 2DBAC715h; retf	0_2_004098C5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004098CB push ss; retf	0_2_004098CD
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040508B pushad ; ret	0_2_0040509D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040755C push cs; retf	0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00407179 push esp; iretd	0_2_00407181
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00407584 push cs; retf	0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004085B8 push edx; retf	0_2_004085B9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00406245 push ecx; retf	0_2_00406249
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004072E6 push ebp; iretd	0_2_004072E9
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004042FC push edx; retf	0_2_004042FD
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040972A push eax; iretd	0_2_00409745
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_004083D6 pushfd ; iretd	0_2_00408422
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03066512 push ecx; retf	0_2_03066516
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03064E82 push esi; iretd	0_2_03064E99

Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_0306D11F rdtsc

0_2_0306D11F

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0307339D mov eax, dword ptr fs:[00000030h]	0_2_0307339D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0306C76B mov eax, dword ptr fs:[00000030h]	0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03072A70 mov eax, dword ptr fs:[00000030h]	0_2_03072A70
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_03074F2E mov eax, dword ptr fs:[00000030h]	0_2_03074F2E

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_0306D11F rdtsc

0_2_0306D11F

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_03076B17 RtlAddVectoredExceptionHandler,

0_2_03076B17

Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	539419
Product:	CloudBasic
Start time:	09:38:19
Start date:	14.12.2021
Sample:	FACTURAS.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2332fdde9344114749db5496eef5f5f9
SHA1:	303c40dd112294dc012836be48eb38e8af056432
SHA256:	0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\M9XgMRXaN30mgEl56ja236	data	34F45818F16D1BBB62BA5874B8814CC7	A454CA483B4A66B83826D061BE2859DD79FF0D6C	DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP	Composite Document File V2 Document, Cannot read section info	E5AAF1474D5E7489F86A267B928DE425	8DAC741F82956D6111A5B442442E095DC4FC3299	DBBEF5EC504CF458770890AF07448ABF835345029D078D4BA36CBF431F86314E

Windows Analysis Report FACTURAS.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map