Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name: FACTURAS.exe
Analysis ID: 539419
MD5: 2332fdde9344114749db5496eef5f5f9
SHA1: 303c40dd112294dc012836be48eb38e8af056432
SHA256: 0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}
Multi AV Scanner detection for submitted file
Source: FACTURAS.exe Virustotal: Detection: 40% Perma Link
Source: FACTURAS.exe Metadefender: Detection: 38% Perma Link
Source: FACTURAS.exe ReversingLabs: Detection: 57%

Compliance:

barindex
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downlD'

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: FACTURAS.exe, 00000000.00000002.860970740.00000000005CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: FACTURAS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306D940 NtAllocateVirtualMemory, 0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306DB0E NtAllocateVirtualMemory, 0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306DB52 NtAllocateVirtualMemory, 0_2_0306DB52
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306DE06 NtAllocateVirtualMemory, 0_2_0306DE06
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306DC8C NtAllocateVirtualMemory, 0_2_0306DC8C
Sample file is different than original file name gathered from version info
Source: FACTURAS.exe, 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
Source: FACTURAS.exe, 00000000.00000002.861579074.0000000002A60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURALL vs FACTURAS.exe
Source: FACTURAS.exe Binary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\FACTURAS.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03076B17 0_2_03076B17
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306D940 0_2_0306D940
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E3A7 0_2_0306E3A7
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A3A0 0_2_0306A3A0
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E3C2 0_2_0306E3C2
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A28E 0_2_0306A28E
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_030692AF 0_2_030692AF
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_030692DA 0_2_030692DA
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A122 0_2_0306A122
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306B1FE 0_2_0306B1FE
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306B034 0_2_0306B034
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A0B4 0_2_0306A0B4
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A0D5 0_2_0306A0D5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A730 0_2_0306A730
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E75A 0_2_0306E75A
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306C76B 0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_030697F8 0_2_030697F8
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E65C 0_2_0306E65C
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A6C9 0_2_0306A6C9
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306D566 0_2_0306D566
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306957A 0_2_0306957A
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03074430 0_2_03074430
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069444 0_2_03069444
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A4C0 0_2_0306A4C0
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E4F6 0_2_0306E4F6
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306DB0E 0_2_0306DB0E
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03074BBF 0_2_03074BBF
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03073BCC 0_2_03073BCC
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069A80 0_2_03069A80
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03073ABC 0_2_03073ABC
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306AAFA 0_2_0306AAFA
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069932 0_2_03069932
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306993C 0_2_0306993C
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03073994 0_2_03073994
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306A9DE 0_2_0306A9DE
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0307382F 0_2_0307382F
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03073860 0_2_03073860
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306E8B4 0_2_0306E8B4
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306EF04 0_2_0306EF04
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03074F2E 0_2_03074F2E
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069FA8 0_2_03069FA8
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069E60 0_2_03069E60
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306AE9A 0_2_0306AE9A
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306EEB4 0_2_0306EEB4
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03073D0C 0_2_03073D0C
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306CD2E 0_2_0306CD2E
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306AD74 0_2_0306AD74
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069DDE 0_2_03069DDE
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306AC38 0_2_0306AC38
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03069CDB 0_2_03069CDB
Source: FACTURAS.exe Virustotal: Detection: 40%
Source: FACTURAS.exe Metadefender: Detection: 38%
Source: FACTURAS.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\FACTURAS.exe File created: C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP Jump to behavior
Source: FACTURAS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURAS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\FACTURAS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe File created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004098C0 push 2DBAC715h; retf 0_2_004098C5
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004098CB push ss; retf 0_2_004098CD
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040508B pushad ; ret 0_2_0040509D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040755C push cs; retf 0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00407179 push esp; iretd 0_2_00407181
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00407584 push cs; retf 0_2_0040755D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004085B8 push edx; retf 0_2_004085B9
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_00406245 push ecx; retf 0_2_00406249
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004072E6 push ebp; iretd 0_2_004072E9
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004042FC push edx; retf 0_2_004042FD
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0040972A push eax; iretd 0_2_00409745
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_004083D6 pushfd ; iretd 0_2_00408422
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03066512 push ecx; retf 0_2_03066516
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03064E82 push esi; iretd 0_2_03064E99
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306D11F rdtsc 0_2_0306D11F

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0307339D mov eax, dword ptr fs:[00000030h] 0_2_0307339D
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306C76B mov eax, dword ptr fs:[00000030h] 0_2_0306C76B
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03072A70 mov eax, dword ptr fs:[00000030h] 0_2_03072A70
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03074F2E mov eax, dword ptr fs:[00000030h] 0_2_03074F2E
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_0306D11F rdtsc 0_2_0306D11F
Source: C:\Users\user\Desktop\FACTURAS.exe Code function: 0_2_03076B17 RtlAddVectoredExceptionHandler, 0_2_03076B17
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Progmanlock